In June 2022, a former Amazon employee was convicted for her role in the 2019 Capital One breach. The hacker in question used her insider knowledge of to hack over 30 companies and illegally access the personal data of over 100 million people. She now faces up to 45 years in prison.
Otherwise, the most recent known Amazon data breach happened on October 6, 2021, when an unknown hacker leaked sensitive data pertaining to Twitch, a streaming service owned by Amazon. This leak included Twitch’s source code, streamers’ earnings numbers, and more, but does not appear to have compromised users’ login credentials or credit card information.
There have also been numerous breaches in Amazon Web Services (AWS) over the years, which you can read about in our article on AWS data breaches. Below, we’ll go into more detail on the full history of Amazon breaches, starting with the most recent.
June 2022: Former Amazon Employee Convicted for Capital One Breach
In June 2022, former Amazon employee Paige Thompson was convicted for her role in the 2019 Capital One breach. While working for Amazon Web Services, Thompson exploited her knowledge of cloud server vulnerabilities at Capital One and more than 30 other companies. All told, Thompson stole the personal information of over 100 million people, including names, dates-of-birth, and social security numbers.
The defense portrayed Thompson as an ethical hacker seeking to notify companies of vulnerabilities before bad actors could exploit them. The U.S. Department of Justice argued otherwise, noting that Thompson failed to notify the companies she breached, bragged about the incident on hacker forums under the alias “erratic”, and profited from the breach by installing cryptomining software on many of the servers she hacked. As assistant U.S. attorney Andrew Friedman put it in his closing arguments, “She wanted data, she wanted money, and she wanted to brag.”
After ten hours of deliberation, a Seattle jury found Thompson guilty of wire fraud, as well as five counts of unauthorized access to a protected computer and damaging a protected computer. The jury found her not guilty of access device fraud and aggravated identity theft. Thompson could face up to 45 years in prison.
Capital One does not seem to have been free of responsibility for the incident. Finding their security practices lacking, the Office of the Comptroller of Currency fined Capital One for $80 million, and the company paid out an additional $190 million settlement in a class action lawsuit.
October 2021: Hacker Leaks Twitch Data to 4chan
On October 6, 2021, there was a major data breach to Twitch, a streaming platform owned by Amazon. An unknown attacker posted 128 gigabytes of leaked files to a 4chan message board, including Twitch’s source code, earnings numbers for streamers, and more. Though the attacker has not yet been identified, in their 4chan post they stated an activist motive:
“Their community is also a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them.”
In a blog post, Twitch stated that this data was exposed due to an error in Twitch’s server configuration. On October 15, Twitch reaffirmed that no passwords, login credentials, credit card numbers, or bank information was leaked in the attack. In the same blog post, Twitch stated that they were directly contacting those affected by the breach.
July 2021: EU Fines Amazon €746 Million Over GDPR Violations
In July 2021, the Luxembourg National Commission for Data Protection issued a 746 million euro fine to Amazon for allegedly violating the European Union’s General Data Protection Regulation (GDPR). According to the Commission, Amazon mishandled personal data in violation of the legal standards set by the GDPR.
In response, Amazon asserted they would appeal the fine, saying that it was “without merit” and that there had been “no data breach.”
October 2020: Customer Email Address Leaked by Malicious Employees
For the second time in 2020, disgruntled Amazon employees released a number of Amazon customer email addresses to third parties voluntarily.
The employees responsible for the insider breach were fired. While Amazon did directly email any customers that may have had their email addresses distributed to a third party, it isn’t clear precisely how many customers were impacted by the incident.
As you’ll see, internal threats present a recurring problem at Amazon. Over and over again, Amazon employees have leaked customer data and proprietary information to outside parties.
September 2020: Six People Indicted in Scheme to Bribe Amazon Employees
In September of 2020, a grand jury in Washington indicted six people on charges of bribing Amazon employees to gain an unfair advantage in Amazon’s third-party marketplace. All six of the defendants had provided consulting services to Amazon sellers, and three had sold products of their own. Through bribery and fraud, these sellers illiticly obtained customer data, made attacks against competing sellers, and restored product listings that Amazon had previously taken down.
January 2020: Employees Share Customer Contact Info with Third Party
In January 2020, Amazon caught a group of employees sharing sensitive customer data with third parties. A number of customer email addresses and phone numbers were released, though it isn’t clear precisely how many. In response, Amazon fired the employees in question.
It’s unclear whether these two incidents were connected, and Amazon has not been forthcoming with greater detail.
September 2019: Amazon Japan Personal Data and Order Histories Exposed
In late-September 2019, Amazon Japan users found themselves able to view the order histories of other shoppers. Along with purchase details, shopper names and delivery addresses were also viewable.
It isn’t entirely clear how many users of the Japanese Amazon site were impacted by the issue. After the incident made the news, Amazon announced that it resolved the problem and had contacted customers about the issue.
November 2018: Amazon Uncovers Moles Working for Third-Party Seller
In November 2018, Amazon’s security division discovered that a third-party retailer known as Krasr had paid approximately $160,000 in bribes to Amazon employees. In exchange, they sabatoged Krasr’s competitors on Amazon’s marketplace.
Amazon identified and fired seven employees who had taken money from Krasr. They referred Krasr to the FBI, but it does not appear Krasr’s owner has been arrested or charged with any crimes.
November 2018: Customer Names and Email Addresses Exposed
Just two days before Black Friday in November 2018, Amazon announced a major data breach involving customer names and email addresses. The company stated that it reached out to impacted users but didn’t disclose the extent of the breach, which it described as a technical issue that led to the accidental posting of customers’ private information on the website.
September 2018: Employees Discovered Selling Customer Data
In September 2018, the Wall Street Journal reported that Amazon employees had been illiticly handing over customer data in exchange for bribes. Employees in both China and the United States reportedly sold this data to Chinese sellers, at prices ranging from $80 to $2,000. Data included internal metrics as well as personal information, such as reviewers’ email addresses.
In May of 2018, Amazon’s security detected similar activity when they found that Amazon employees in China had been bypassing security controls, taking over customer accounts, and deleting customer reviews. These two incidents might not have been strictly related, as many of these employees appear to have been acting individually. But these kinds of internal threats have long been a persistent issue at Amazon.
May 2018: AMZReview Caught Selling Customer Data
In May 2018, Amazon discovered that a third-party service was selling Amazon customer data to outside sellers. For years, Amazon had offered sellers broad access to customer data, such as name and address. AMZReview compiled this data on a mass scale, and connected it to other customer information that had been leaked in other breaches.
AMZReview had obtained information on up to 16 million Amazon customers. But the problem was even bigger: some third-party companies had access to up to a billion orders, and Amazon found that over half of third-party developers were violating Amazon’s terms of service.
In response, Amazon tightened its controls over customer data. But they did not make any public statements about the data leak. When reporters at Wired asked, an Amazon spokesperson insisted that “There was not a data leak”, but had “no response” regarding how many customers data had been inappropriately hoovered up by third-party companies.
May 2017: Up to 24 Million Credit Card Numbers Exposed Internally
In May 2017, Amazon employees discovered a cache of American Express credit card numbers left unsecured on Amazon’s internal network. For at least several months, this credit card information was broadly available to Amazon employees. Because their audit logs only went back 90 days, it is unclear whether this openly available data was abused while sitting in the open.
July 2016: Hacker Claims to Breach 80,000 Amazon Accounts
In July 2016, a hacker identifying as #0x2Taylor claimed on Twitter to have breached an Amazon server and obtained personal information on more than 80,000 Kindle users. He threatened to leak the data if Amazon did not pay him $700. When Amazon did not pay him, he posted this information online.
However, Amazon denied that they had been breached: “We have confirmed that this information did not come from Amazon’s servers, and that the accounts in question are not legitimate Amazon customer accounts.” In this case, it’s hard to tell for sure whether or not Amazon was actually breached.
2016: Amazon Employees Spy on Customer Purchase Histories
In November 2021, Wired reported that back in 2016, it was common practice for Amazon employees to spy on customers’ purchase histories. In the words of one manager “Everybody, everybody did it.” Employees looked up the purchases of celebrities, such as Kanye West, and spied on their exes and romantic partners.
During this time, any customer service employee could look up practically any customer’s purchase history at any time. Because these access privileges were so widely distributed, it was easy for employees to abuse their power to spy on Amazon customers.
November 2015: Amazon Resets User Passwords as a Precautionary Measure
In November 2015, Amazon forced a reset on many user’s passwords. While there does not appear to have been an actual breach, Amazon seems to have identified a credible risk and taken this security measure just in case.
December 2014: Anonymous Hackers Leak Passwords for Amazon and Other Sites
In December 2014, hackers associated with the group Anonymous leaked 13,000 usernames and passwords for Amazon, Walmart, Playstation Network, Xbox Live, and other websites. It’s unclear where or how they obtained this information, though they did state their motive: “We did for the Lulz.”
January 2012: Zappos Breach Exposes 24 Million Accounts
In January 2012, a hacker breached the servers of Zappos, an Amazon-owned online store. Although up to 24 million Zappos customers’ information was exposed in this attack, apparently Amazon accounts were not affected.
We did not find any earlier records of data breaches directly involving Amazon.