Amazon informed some of its users this morning that the company's website may have exposed their names and email address in a way that made the information publicly accessible. Amazon chalked the issue up to a technical error and said the problem has since been fixed. It's not clear how many people are effected by the leak.
The exposure does not appear to be the result of a breach of Amazon's website or systems, and the amount of information exposed appears to be minimal, but the situation is still far from ideal. It's not clear if anyone accessed the exposed usernames and email addresses. If the information was scraped from Amazon by a malicious party, the leaked email addresses could be used to launch phishing attacks.
Amazon's disclosure of the breach is pretty unsatisfying. Even if the issue is relatively minor, as it seems to be, Amazon's email to affected users is very brief and short on details. It doesn't explain when the error occurred, how long information was exposed or if it was accessed by anyone. The company didn't even apologize for the problem.
Amazon's legit been sending out notices saying sorry we exposed your email address. Seems likely related to this https://t.co/21cRB2dHTk... Besides the brevity, what's giving people pause is they sign the email https://t.co/KDiteRFaeR Why cap the "a" and why no https://? Strange pic.twitter.com/mwty3GmCN1— briankrebs (@briankrebs) November 21, 2018
While the error that caused the leak may be fixed, Amazon has run into some issues lately with keeping user information private. Last month, the company fired an employee who was sharing customer emails. Earlier this year, it was reported that third-party sellers have approached Amazon employees and offered them cash bribes in exchange for internal data and email addresses of top Amazon reviewers.