The most recent known Amazon data breach happened on October 6, 2021, when an unknown hacker leaked sensitive data pertaining to Twitch, a streaming service owned by Amazon. This leak included Twitch’s source code, streamers’ earnings numbers, and more, but does not appear to have compromised users’ login credentials or credit card information.
The most recent data breach involving Amazon itself occurred in October 2020, when a disgruntled Amazon employee leaked customer data to a third party for the second time that year. There have also been numerous breaches in Amazon Web Services (AWS) over the years, most often due to improperly configured S3 buckets. You can read more in our article on AWS data breaches.
Below, we’ll go into more detail on the full history of Amazon breaches, starting with the most recent.
October 2021: Hacker Leaks Twitch Data to 4chan
On October 6, 2021, there was a major data breach to Twitch, a streaming platform owned by Amazon. An unknown attacker posted 128 gigabytes of leaked files to a 4chan message board, including Twitch’s source code, earnings numbers for streamers, and more. Though the attacker has not yet been identified, in their 4chan post they stated an activist motive:
“Their community is also a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them.”
In a blog post, Twitch stated that this data was exposed due to an error in Twitch’s server configuration. On October 15, Twitch reaffirmed that no passwords, login credentials, credit card numbers, or bank information was leaked in the attack. In the same blog post, Twitch stated that they were directly contacting those affected by the breach.
October 2020: Customer Email Address Leaked by Malicious Employees
For the second time in 2020, disgruntled Amazon employees released a number of Amazon customer email addresses to third parties voluntarily.
The employees responsible for the insider breach were fired. While Amazon did directly email any customers that may have had their email addresses distributed to a third party, it isn’t clear precisely how many customers were impacted by the incident.
January 2020: Employees Share Customer Contact Info with Third Party
A group of employees was ultimately fired after they were caught sharing sensitive customer data with a third party. A number of customer email addresses and phone numbers were released, though it isn’t clear precisely how many.
It’s unclear whether these two incidents were connected, and Amazon has not been forthcoming with greater detail.
September 2019: Amazon Japan Personal Data and Order Histories Exposed
In late-September 2019, Amazon Japan users were suddenly seeing the order histories of other shoppers. Along with purchase details, shopper names and delivery addresses were also viewable.
It isn’t entirely clear how many users of the Japanese Amazon site were impacted by the issue. However, within days of the incident making headlines, Amazon announced that it resolved the problem and had contacted customers who reached out about the issue.
November 2018: Customer Names and Email Addresses Exposed
Just two days before Black Friday in November 2018, Amazon announced a major data breach involving customer names and email addresses. The company stated that it reached out to impacted users but didn’t disclose the extent of the breach, which it called a technical issue that led to the accidental posting of customers’ private information on the website.
July 2016: Hacker Claims to Breach 80,000 Amazon Accounts
In July 2016, a hacker identifying as #0x2Taylor claimed on Twitter to have breached an Amazon server and obtained personal information on more than 80,000 Kindle users. He threatened to leak the data if Amazon did not pay him $700. When Amazon did not pay him, he posted this information online.
However, Amazon denied that they had been breached: “We have confirmed that this information did not come from Amazon’s servers, and that the accounts in question are not legitimate Amazon customer accounts.” In this case, it’s hard to tell for sure whether or not Amazon was actually breached.
November 2015: Amazon Resets User Passwords as a Precautionary Measure
In November 2015, Amazon forced a reset on many user’s passwords. While there does not appear to have been an actual breach, Amazon seems to have identified a credible risk and taken this security measure just in case.
December 2014: Anonymous Hackers Leak Passwords for Amazon and Other Sites
In December 2014, hackers associated with the group Anonymous leaked 13,000 usernames and passwords for Amazon, Walmart, Playstation Network, Xbox Live, and other websites. It’s unclear where or how they obtained this information, though they did state their motive: “We did for the Lulz.”
January 2012: Zappos Breach Exposes 24 Million Accounts
In January 2012, a hacker breached the servers of Zappos, an Amazon-owned online store. Although up to 24 million Zappos customers’ information was exposed in this attack, apparently Amazon accounts were not affected.
We did not find any earlier records of data breaches directly involving Amazon.