Amazon confirms employee data breach, but says it’s limited to contact info

Amazon says a data breach exposed the email addresses, phone numbers, and building locations linked to its employees, as reported earlier by 404 Media. In a statement to The Verge, Amazon spokesperson Adam Montgomery said the company was “notified about a security event at one of our property management vendors that impacted several of its customers, including Amazon.”

The confirmation follows a report from the cybercrime firm Hudson Rock saying that information posted on the hacking forum includes data from Amazon and 25 other entities, including MetLife, HP, HSBC, and Canada Post.

Hudson Rock says the leaked info dates back to May 2023, and it’s related to the major security vulnerability in the MOVEit file transfer system that came to light last year, adding Amazon to a list of affected organizations that already included the BBC, British Airways, Sony, the US Department of Energy, and many others. They also note that the person who posted the information claimed it’s “just a tiny portion of the data they have.”

“Amazon and AWS systems remain secure, and we have not experienced a security event,” Montgomery said. “The only Amazon information involved was employee work contact information, for example work email addresses, desk phone numbers, and building locations.”

It’s unclear how many employees were affected by the breach, but a screenshot of the hacking forum post shows more than 2.8 million lines in the purported Amazon dataset. Montgomery told The Verge that the breach didn’t involve employee social security numbers, government identity documents, or financial data.