Skip to content

Amazon Data Breaches: Timeline Upto October 2022

amazon data breaches with timeline

Amazon, one of the largest online retailers in the world, has been the subject of several data breaches over the years.

These breaches have put the personal and financial information of millions of users at risk, and have highlighted the importance of cybersecurity measures in today’s digital age.

Data breaches like these are a reminder of the importance of strong cybersecurity measures and the need for constant monitoring of networks from hackers.

With so much personal and financial information at stake, it is crucial for companies like Amazon to prioritize the security of their users’ data and take proactive steps to prevent and address breaches.

March 2023 – Amazon Data Breach

ALPHV, a ransomware group, alleged on the dark web on March 13 that they had infiltrated Ring, Amazon’s doorbell security firm.

However, Amazon denied that there was any indication of a ransomware attack on Ring and suggested that a third-party vendor may have been breached instead.

Despite the possibility of ALPHV having Ring customer data, there is currently no additional evidence to support the notion that Amazon Ring experienced a data breach.

June 2022 – Amazon Data Breach

Former Amazon employee Paige Thompson was found guilty in June 2022 for her involvement in the 2019 Capital One security breach.

During her employment at Amazon Web Services, Thompson utilized her knowledge of cloud server weaknesses to gain unauthorized access to Capital One and more than 30 other companies systems.

As a result, she obtained personal information, including names, dates of birth, and social security numbers, of over 100 million individuals.

In the trial, Thompson’s defense presented her as an ethical hacker who aimed to alert companies about security gaps before malicious individuals could take advantage of them.

However, the U.S. Department of Justice contradicted this argument by stating that Thompson did not inform the companies she breached, boasted about the incident on hacker forums using the pseudonym “erratic,” and made a profit from the breach by placing crypto mining software on numerous servers she hacked.

During the closing arguments, Assistant U.S. Attorney Andrew Friedman summarized, “Her intentions were to obtain data, make money, and brag about it.”

Thompson was found guilty of wire fraud, damaging a protected computer, and five counts of unauthorized access to a protected computer by a Seattle jury after ten hours of deliberation.

However, the jury found her not guilty of access device fraud and aggravated identity theft. Thompson may be sentenced to up to 45 years in prison.

Despite Capital One’s denial of responsibility for the incident, the Office of the Comptroller of Currency fined them $80 million for their inadequate security practices. Furthermore, the company settled a class action lawsuit for $190 million.

October 2021 – Amazon Data Breach

Twitch, a streaming platform owned by Amazon, experienced a significant data breach on October 6, 2021.

The breach involved an unknown attacker who posted 128 gigabytes of leaked files to a 4chan message board, which included Twitch’s source code, streamers’ earnings numbers, and other sensitive information.

The attacker claimed an activist motive, stating that they aimed to foster more disruption and competition in the online video streaming space and expressed their contempt for Twitch’s community, which they described as a “disgusting toxic cesspool.” The identity of the attacker remains unknown.

Twitch explained in a blog post that an error in its server configuration led to the exposure of the mentioned data. On October 15, Twitch reconfirmed that the breach did not compromise any passwords, login details, credit card numbers, or banking information.

The company also mentioned that they are reaching out to the affected individuals directly.

July 2021 – Amazon Data Breach

Amazon has been fined 746 million euros by the Luxembourg National Commission for Data Protection in July 2021 for allegedly breaching the European Union’s General Data Protection Regulation (GDPR) by mishandling personal data.

However, Amazon has denied any wrongdoing and stated that they will appeal the fine, as they believe it to be baseless since there was no data breach.

October 2020 – Amazon Data Breach

In 2020, a group of dissatisfied Amazon workers voluntarily disclosed Amazon customer email addresses to third parties for the second time. The individuals responsible for the security breach were terminated from their employment at Amazon.

Although Amazon did not communicate directly with the customers whose email addresses may have been exposed, the exact number of affected customers remains unknown.

The recurrence of insider threats at Amazon is evident, as employees have repeatedly leaked sensitive customer data and confidential information to external entities.

September 2020 – Amazon Data Breach

Six individuals were indicted by a Washington grand jury in September 2020 for allegedly bribing Amazon workers to gain an unjust advantage in Amazon’s third-party marketplace.

The defendants, all of whom had provided consultancy services to Amazon sellers, and three of whom had also sold their own products, engaged in bribery and fraud to obtain customer data, launched attacks against competing sellers, and reinstate product listings that Amazon had previously removed.

January 2020 – Amazon Data Breach

A group of Amazon employees was found to have shared confidential customer information with outside parties in January 2020. The disclosed data included some customer email addresses and phone numbers, but the exact number of affected customers is unknown.

Amazon terminated the employees involved, but it remains uncertain if these events were related, and the company has not provided additional information on the matter.

September 2019 – Amazon Data Breach

In September 2019, Amazon Japan customers discovered that they could access the order histories of other shoppers, which included personal information such as names and delivery addresses.

The extent of the impact on users is unknown, but Amazon reported that the issue was resolved and affected customers were notified after the incident was publicized.

November 2018 (1) – Amazon Data Breach

In November 2018, Amazon’s security department detected that Krasr, a third-party seller, had given bribes of about $160,000 to Amazon staff to negatively impact Krasr’s competitors on Amazon’s platform.

After identifying and terminating seven employees who received the bribes, Amazon reported the incident to the FBI. However, it seems that Krasr’s owner has not been apprehended or accused of any offenses.

November 2018 (2) – Amazon Data Breach

In November 2018, Amazon made a public announcement regarding a significant data breach related to customer names and email addresses, which occurred just two days before Black Friday.

Although the company claimed to have contacted affected users, it did not disclose the full extent of the breach. Amazon attributed the incident to a technical problem that unintentionally exposed customers’ personal data on its website.

September 2018 – Amazon Data Breach

According to a report by the Wall Street Journal in September 2018, Amazon workers were allegedly providing customer data to Chinese sellers in exchange for bribes.

The data, which was sold for amounts ranging from $80 to $2,000, consisted of internal metrics and personal details, such as the email addresses of reviewers. The illicit activities were said to have occurred in both the United States and China.

May 2018 – Amazon Data Breach

In May 2018, Amazon became aware that an external service provider was selling Amazon customer data to external vendors.

For a considerable period of time, Amazon had been granting sellers widespread access to customer data, including personal information such as names and addresses.

AMZReview obtained and aggregated this data on a large scale, and merged it with other customer information that had been compromised in previous security breaches.

AMZReview had acquired data on as many as 16 million Amazon clients. However, the situation was more extensive than that, as certain third-party firms had access to information on as many as one billion orders.

Additionally, Amazon discovered that over 50% of third-party developers were in breach of the company’s terms of service.

Amazon increased its control over customer data following the incident but refrained from making any public statements about the data leak.

When questioned by Wired reporters, an Amazon spokesperson denied the existence of a data leak but declined to comment on the number of customers whose data had been unlawfully obtained by third-party entities.

May 2017 – Amazon Data Breach

Amazon’s internal network was found to have a collection of unsecured American Express credit card numbers by its employees in May 2017.

This sensitive information was accessible to Amazon employees for an extended period of time, but it remains uncertain whether the data was misused during its time in the open as the audit logs only covered the previous 90 days.

July 2016 – Amazon Data Breach

On Twitter in July 2016, a hacker known as #0x2Taylor asserted that he had hacked into an Amazon server and acquired the personal details of over 80,000 Kindle users.

The hacker demanded $700 from Amazon, failing which he would disclose the information, which he ultimately did after Amazon refused to pay.

Amazon denied being breached and stated that the leaked information did not originate from their servers and that the affected accounts were not authentic Amazon customer accounts.

Thus, it is challenging to determine with certainty whether or not Amazon was indeed breached in this instance.

The Year 2016 – Amazon Data Breach

According to a Wired report in November 2021, it was a regular practice for Amazon employees to secretly access customers’ purchase histories back in 2016. As stated by a manager, “everyone” was involved in this practice.

The employees would also access the purchase history of high-profile individuals like Kanye West and spy on their former or current partners.

November 2015 – Amazon Data Breach

Amazon reset the passwords of several users in November 2015 as a precautionary security measure, even though there was no evidence of an actual breach. This action was taken by Amazon after identifying a credible risk to the security of their users.

December 2014 – Amazon Data Breach

13,000 usernames and passwords for various websites including Amazon, Walmart, Playstation Network, and Xbox Live were leaked by hackers linked to Anonymous in December 2014.

The source of this information remains unknown, but the group stated their reason for doing so was simply “for the Lulz”.

January 2012 – Amazon Data Breach

A hacker penetrated the servers of Zappos, an online store owned by Amazon, in January 2012, resulting in the exposure of the personal information of potentially 24 million Zappos customers.

Despite this incident, it seems that Amazon accounts were not impacted. It appears that there are no prior instances of data breaches directly involving Amazon.

Kevin James

Kevin James

I'm Kevin James, and I'm passionate about writing on Security and cybersecurity topics. Here, I'd like to share a bit more about myself. I hold a Bachelor of Science in Cybersecurity from Utica College, New York, which has been the foundation of my career in cybersecurity. As a writer, I have the privilege of sharing my insights and knowledge on a wide range of cybersecurity topics. You'll find my articles here at Cybersecurityforme.com, covering the latest trends, threats, and solutions in the field.