The most recent known Amazon data breach happened in October 2020, when disgruntled employees leaked customer information to a third party. This was the second time this happened in 2020, following a similar incident in January. So far in 2021, there have been no known Amazon breaches.
There have also been numerous breaches in Amazon Web Services (AWS) over the years, most often due to improperly configured S3 buckets. However, Amazon is not exactly responsible for configuration mistakes made by the companies they provide services for. You can read more in our article on AWS data breaches.
Below, we’ll go into more detail on the full history of Amazon breaches, starting with the most recent.
October 2020: Customer Email Address Leaked by Malicious Employees
For the second time in 2020, disgruntled Amazon employees released a number of Amazon customer email addresses to third parties voluntarily.
The employees responsible for the insider breach were fired. While Amazon did directly email any customers that may have had their email addresses distributed to a third party, it isn’t clear precisely how many customers were impacted by the incident.
January 2020: Employees Share Customer Contact Info with Third Party
A group of employees was ultimately fired after they were caught sharing sensitive customer data with a third party. A number of customer email addresses and phone numbers were released, though it isn’t clear precisely how many.
It’s unclear whether these two incidents were connected, and Amazon has not been forthcoming with greater detail.
September 2019: Amazon Japan Personal Data and User Order Histories Exposed
In late-September 2019, Amazon Japan users were suddenly seeing the order histories of other shoppers. Along with purchase details, shopper names and delivery addresses were also viewable.
It isn’t entirely clear how many users of the Japanese Amazon site were impacted by the issue. However, within days of the incident making headlines, Amazon announced that it resolved the problem and had contacted customers who reached out about the issue.
November 2018: Customer Names and Email Addresses Exposed
Just two days before Black Friday in November 2018, Amazon announced a major data breach involving customer names and email addresses. The company stated that it reached out to impacted users but didn’t disclose the extent of the breach, which it called a technical issue that led to the accidental posting of customers’ private information on the website.
July 2016: Hacker Claims to Breach 80,000 Amazon Accounts
In July 2016, a hacker identifying as #0x2Taylor claimed on Twitter to have breached an Amazon server and obtained personal information on more than 80,000 Kindle users. He threatened to leak the data if Amazon did not pay him $700. When Amazon did not pay him, he posted this information online.
However, Amazon denied that they had been breached: “We have confirmed that this information did not come from Amazon’s servers, and that the accounts in question are not legitimate Amazon customer accounts.” In this case, it’s hard to tell for sure whether or not Amazon was actually breached.
November 2015: Amazon Resets User Passwords as a Precautionary Measure
In November 2015, Amazon forced a reset on many user’s passwords. While there does not appear to have been an actual breach, Amazon seems to have identified a credible risk and taken this security measure just in case.
December 2014: Anonymous Hackers Leak Passwords for Amazon and Other Sites
In December 2014, hackers associated with the group Anonymous leaked 13,000 usernames and passwords for Amazon, Walmart, Playstation Network, Xbox Live, and other websites. It’s unclear where or how they obtained this information, though they did state their motive: “We did for the Lulz.”
January 2012: Zappos Breach Exposes 24 Million Accounts
In January 2012, a hacker breached the servers of Zappos, an Amazon-owned online store. Although up to 24 million Zappos customers’ information was exposed in this attack, apparently Amazon accounts were not affected.
We did not find any earlier records of data breaches directly involving Amazon.