The Anatomy Of Amazon Data Breach Explained

  • By David Lukic
  • Published: Aug 05, 2020
  • Last Updated: Nov 23, 2023

Along with being an online merchant, Amazon also supplies cloud servers to some heavy hitters in the financial, electronics, government, and technical industries. Unfortunately for Amazon, the Capital One data breach in July of 2019 also became an Amazon data breach.

Although Amazon has done its best to distance itself from the incident, the perpetrator who hacked the server was a previous Amazon employee, complicating the equation.

Amazon Data Breach of 2019

The Capital One data breach was devastating to 100 million customers whose names, social security numbers, credit scores, and credit card data were stolen. It is understandable why Amazon wouldn’t want any of the responsibility placed at its door.

The data breach was blamed on a misconfigured firewall used on the Amazon AWS server. A top cybersecurity privacy officer, Mark McCreary, agrees: “You need to configure the security correctly. Somebody made a mistake. This is not Amazon’s fault.” Amazon maintains that the security of the cloud server remained in-tact while the system built upon it was what was breached.

The Capital One data breach that was linked to Amazon took place in July of 2019. However, The Guardian reported an actual Amazon data breach in November of 2018 when customer’s names and email addresses appeared on the Amazon website by mistake.

However, this was later reported by Amazon to be a glitch in the software, not an intrusion by a third-party. The issue was quickly fixed, and Amazon didn’t explain in detail what happened, they simply referred to it as a “technical issue.” It is unclear how many users were affected.

amazon data breach

Class Action Settlement

The Capital One data breach sparked a class action lawsuit that enveloped Amazon as co-defendants. Amazon and other charged companies were required to pay for and implement specific cybersecurity measures, including:

  • Strengthening cloud governance practices
  • Enhancing threat detection and vulnerability management
  • Improving training for cybersecurity analysts
  • Improving existing restrictive access to information

Apart from cybersecurity improvements, Capital One raised a settlement fund of $190 million for any damaged parties. This money went to anyone who could reasonably trace their losses to the data breach and included losses from:

  • Identity Theft
  • Identified Fraud
  • False Tax Returns
  • Or “Other Misuse of Personal Information”

If you’re looking for reimbursement in this case, make sure you’ve documented your circumstances. This includes the receipts from any services you hired, or time spent rectifying damages. Anyone claiming lost time should be ready to detail the actions they took, how long each step required, and if any of these actions required them take any type of leave from work.

Additionally, any losses must have been incurred on or after March 22, 2019.

Paige Thompson Convicted in the Summer of 2022

It was only last year that a former Web Services (AWS) employee was found guilty of infiltrating Amazon’s servers during the 2019 data breach. Paige Thompson, also known under the username “Erratic” on hacking forums, was convicted of seven counts of fraud by a US District Court in Seattle.

The punishment can be up to 20 years in prison.

The Department of Justice reported that Thompson wrote a program that scanned Amazon’s servers for security misconfigurations in cloud-based storage. She used the misconfigured accounts to gain further access to Capital One and install crypto-mining malware that would deposit earnings into her online accounts.

The bizarre part of the situation was how openly blatant Thompson was of her actions. She took to various sites and communities, including GitHub forums, and admitted to stealing the information. Her defense attempted to use this information to argue her position as an “ethical hacker.”

Ethical hackers probe security systems for weaknesses. Many companies hire ethical hackers to stay protected against the most current attack patterns used by black-hat hackers. The Computer Fraud and Abuse Act (CFAA), implemented on May 19, protected ethical hacking.

However, Thompson publicized private information online, which was enough to convince people of her intentions behind the attack.

Thompson was ultimately given a sentence of time served and five years in probation. She spent 100 days in jail and would perform a minimum of 50 hours of community service for each year of her probation. This sentence considered the limited impact of her hacking and mental health problems.

How to Find Out About Your Amazon Account Data Breach?

Capital One notified all affected parties by email or mail directly after the incident occurred. The perpetrator, Paige A. Thompson, an ex-Amazon employee, was arrested by the FBI. You can visit the page set up by Capital One to check to see if your data was breached or contact them via phone at 1-833-727-1234 for more information. 

Who to Contact and What to Do if Your Info Was Compromised in Amazon Data Breach

Some of the information breached was social security numbers, credit card data, and banking information. So, if you were affected, the first thing to do is close those accounts and re-open new ones or have Capital One issue you new cards and numbers. It’s also a good idea to enable a credit freeze so no one can open up any new accounts in your name. You may want to consider a credit monitoring service like IDStrong.com, as well. Additionally, you should take these steps:

  • Watch out for phishing scams and never click any links within email or download attachments.
  • Scan your computer for viruses and malware.
  • Change all your bank account and credit card logins and use strong random passwords (with a combination of letters, numbers, and symbols).

Zappos Breach Finally Settled

An older data breach case from Amazon reached an anti-climactic conclusion in 2019. 

Zappos, an Amazon-owned fashion retailer, experienced a massive data breach in 2012. The incident lost the names, addresses, passwords, and credit card numbers of 24 million accounts. This made it one of the most significant breaches to date.

While it’s common for corporate lawsuits to run for many years, Zappos’ case was out of the ordinary. After seven years and multiple attempts by Zappos to throw out the case, the final punishment can barely be called a slap on the wrist.

Settled in the US District Court of Nevada in 2019, Zappos was ordered to distribute a 10 percent discount code among affected customers. This code was applicable within 60 days of distribution or by the end of the year, whichever came later. Zappos sent out an email to affected customers, but the actual cost of the promotion was never disclosed.

This light sentencing was due to several factors, including Zappos’ continued denial of wrongdoing. The company also denied its role in the loss of complete or partial credit card numbers. Although, Zappos did agree to pay up to $1.6 million in attorney fees for the plaintiffs.

Despite the settlement looking more like a marketing ploy than a sanction, the seven-year case did have certain long-term effects.

Zappos submitted a plea to the Supreme Court that would require customers to prove they were harmed in a breach. The appeal was denied setting a precedent for future cases.

Today, Zappos has dedicated a section of its FAQ to recognizing and stopping various cybercrime strategies.

Amazon Emails Leaked in 2020

In October 2020, Amazon announced that it had fired an employee for sharing customer email addresses with outside organizations. Ironically, Amazon sent the announcement to affected customers through email.

A similar event occurred earlier in the year when Amazon fired multiple employees for leaking customers’ phone numbers and emails. Amazon didn’t disclose the extent of the damages in either case and refused to comment further.

This isn’t the first time Amazon’s security measures surrounding employees have been lacking. Former low-level employees have admitted to snooping on the buying histories of actors, musicians, and even ex-partners.

Twitch Data Lost in 2021

Amazon’s most recent data breach came from their live streaming platform, Twitch. The service announced an error in its servers that allowed a hacker to access private account information.

Since the streaming platform includes paid subscription services, it potentially affected the financial information for viewers and streamers. In response, the company reset the broadcast keys allowing streamers to go live and interact with their audiences.

Twitch later announced that there’d been no evidence of leaked login credentials and that their servers didn’t store complete credit card information. However, over 100GB of files were posted to 4chan the following Wednesday.

Leaked data included internal documents, source code, and security information and exposed the earnings from the platform’s highest-paid streamers.

The 4chan user described the Twitch community as a “disgusting toxic cesspool,” and claimed they intended to “foster more disruption and competition in the online video streaming space.”

This wasn’t the first time that Twitch was called out for toxicity. Many accused the platform of promoting only “white-cis-hetero-male” streamers.

amazon security breach

Can My Personal Information from Amazon be Used for Identity Theft?

The information breached from the Amazon server in the Capital One incident is very damaging and more than enough for a hacker to use to steal your identity. Sometimes these criminals will use only your name and email and contact you through email pretending to be Amazon or Capital One and hope that you click a link that infects your computer with malware so they can steal even more information or take control of your computer. Sometimes they demand that you click a link to go to a spoofed website where you enter your login or other details to “validate your account,” and then that information is in the hands of the cybercriminals. 

How to Prevent Data Breach

Although there isn’t anything we can do to protect all the websites and companies where our personal information resides, there are some tips we can take to keep our private information private and our stuff safe. Also, using identity theft protection service will be very helpful. 

  • Never give out your personal details unless you initiate the call or action.
  • Always keep your computer antivirus updated and run deep scans often.
  • If, after this Amazon data breach, you received any suspicious sounding email from Capital One, forward them to abuse@capitalone.com
  • Consider freezing your credit to prevent any new accounts from being opened in your name.
  • Routinely monitor your credit reports, bank, and credit card statements.
  • Be on the lookout for phishing scams, and use common sense when opening emails. 
About the Author
IDStrong Logo

Related Articles

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagra ... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “A ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the co ... Read More

Exchange Server Bug Exposes a Big Risk to Hackers

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% ... Read More

Clients’ Bank Data Exposed in Blackbaud Ransomware Attack

Blackbaud software was victim to a ransomware attack last May, and new information suggests that c ... Read More

Latest Articles

Google Voice Scams: What They Are and How to Stay Safe

Google Voice Scams: What They Are and How to Stay Safe

Google Voice scams continue to pose a risk for users of this service. Scammers continuously attempt to lure users into divulging their verification PIN code.

What Are Pretexting Attacks: Scam Types and Security Tips?

What Are Pretexting Attacks: Scam Types and Security Tips?

Have you ever received a text from someone you do not know? Did you become alarmed by the message? Did the message contain information about you and the people you know?

What is a Time-based One-time Password (TOTP)?

What is a Time-based One-time Password (TOTP)?

Authentication is the process that verifies the user's identity to control access to resources, prevent unauthorized users from gaining access to the system, and record user activities (to hold them accountable for their activities).

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Notice

By proceeding with this scan, you agree to let IDStrong run a Free Scan of supplied parameters of your personal information and provide free preliminary findings in compliance with our Terms of Use and Privacy Notice. You consent to us using your provided information to complete the Free Scan and compare it against our records and breach databases or sources to provide your Free preliminary findings report.

Rest assured: IDStrong will not share your information with third parties or store your information beyond what is required to perform your scan and share your results.

Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address
Close