Amazon disclosed on November 11, 2024 a data breach that exposed employee information after the data was allegedly stolen during the May 2023 MOVEit Transfer attacks. The company said that the data was stolen from a third-party property management vendor. The MOVEit vulnerability (CVE-2023-34362), first exploited in May 2023, allowed unauthenticated attackers to gain unauthorized access to vulnerable systems. This critical SQL injection flaw enabled cybercriminals to bypass security measures and potentially steal sensitive data from thousands of organizations worldwide.
The Amazon employee information involved was employee work contact information, for example work email addresses, desk phone numbers, and building locations.
Amazon did not disclose the number of impacted employees.
A threat actor using the handle Nam3L3ss leaked over 2.8 million records containing Amazon employee data on the hacking forum BreachForums.
Read more about it here.