Amazon has been breached and the information of 80,000 of its users has been leaked online… or so it has been claimed.
This new alleged dump was apparently perpetrated by a security researcher calling himself 0x2Taylor.
The leaked information is supposed to contain a host of personally identifiable information about Amazon Kindle customers including emails, passwords, addresses, phone numbers, zip codes and LastLoginIPs.
Ox2Taylor said he posted the data after several attempts to contact Amazon – to alert it to a number of critical security flaws – were ignored.
After 0x2Taylor hacked the server, he said the e-commerce company could pay him USD$700 (£539) for the whole tranche of exfiltrated data to ensure that it was never published online or found its way into the wrong hands.
0x2Taylor even posted the data to Twitter as supposed proof that he had it.
Once again, his request apparently returned a deafening silence.
So in turn, 0x2Taylor leaked the info on Maga.nz.
However, despite repeatedly failing to draw Amazon's attention to the alleged security flaws, there is still no excuse for disclosing a bug in this fashion, according to industry commentators.
Steve Armstrong, managing director of Logically Secure, told SCMagazineUK.com, “This is not what we would call responsible disclosure. It's blackmail, so I can understand Amazon's reticence to make any payment or enter into negotiations, regardless of the price – it's a matter of principal.”
Armstrong added, “However, this is why many companies open up bug bounty programmes, to provide a platform through which users and researchers can notify and be rewarded for responsible disclosure. I cannot see this ending well for Amazon, 0x2Taylor or the users whose account details are being bandied about.”
Although Hacked-DB, among other sources, has claimed that the information was legitimate and has not yet been made public, Amazon doesn't agree.
A spokesperson from the online retail giant told SC, “We have confirmed that this information did not come from Amazon's servers, and that the accounts in question are not legitimate Amazon customer accounts.”
Furthermore, when others tried to test the information by calling the numbers listed or searching for the addresses detailed in the dump, they found little.
Brian Wallace, a security researcher, told NetworkWorld, “I believe the data released is not representative of actual Amazon users, but instead this information was generated.”
He added, “It is not clear whether this information was generated by the individual who released the information, or if it was generated by a third party, and that information was then obtained by the individual who released it.”
A Hacked-DB spokesperson told SC that the accounts are in fact valid but the ‘passwords' “are not actually passwords rather they are session keys and other parameters [that] reside in the Amazon cookie data.”
The spokesperson added, “We have analysed the content and compared it with the current Amazon cookies, and the structure of the data is exactly the same as can be seen in the file content.”
“We cannot verify from where the attack came from, our speculations are that it could be compromised by a log file that resides on a hacked server, or from an MITM attack on a malicious website but NOT directly from the Amazon infrastructure.”
The data appears to have been taken from an Azure platform.
Furthermore, Hacked-DB detected 53,601 cookies within the leaked data that belong to rubiconproject.com, an advertising company. The spokesperson concluded, “Maybe rubiconproject has been compromised? We can't know for sure.”
0x2 Taylor did not respond for comment.