Amazon has confirmed that 2.8 million lines of employee data were compromised in a recent data breach.
In a troubling revelation highlighting the ongoing repercussions of the MOVEit vulnerability discovered in 2023, Amazon has acknowledged that sensitive employee data was exposed via a breach associated with a third-party property management provider. The data breach, publicized by the threat actor “Nam3L3ss,” illustrates the continuing fallout from one of the most significant supply chain attacks last year.
Understanding the Attack Vector
The breach is linked to the MOVEit Transfer vulnerability (CVE-2023-34362), a serious SQL injection flaw that enabled unauthorized attackers to access vulnerable systems without authentication. This vulnerability was first exploited in May 2023, allowing attackers to circumvent authentication measures and gain access to sensitive data stored within the MOVEit Transfer database, a widely utilized managed file transfer solution within enterprise settings.
Profile of the Threat Actor: Nam3L3ss
The threat actor Nam3L3ss has risen to prominence within the cybercriminal landscape, recently publishing an extensive dataset containing over 2.8 million lines of Amazon employee data on BreachForums, as well as data from 25 other major firms. This actor asserts possession of “well over 250TB of archived database files” and warns that they “download entire databases from exposed web sources including MySQL, PostgreSQL, SQL Server databases and backups, Azure databases, and more.” Nam3L3ss claims that the data published merely represents “less than .001%” of the total cache, threatening the release of information sourced from up to 1,000 additional breaches.
Nam3L3ss has cautioned organizations to “pay attention” to these leaks, spotlighting the potential exposure of sensitive details such as cost center codes and internal organizational structures. Previously, the MOVEit vulnerability had been exploited by the Cl0p ransomware gang, though it remains uncertain if the current data originated from Cl0p, its affiliates, or if Nam3L3ss is executing independent operations.
Details of the Compromised Data
The exposed dataset from Amazon encompasses employee work contact information, including email addresses, desk phone numbers, and building locations. Adam Montgomery, a spokesperson for Amazon, confirmed the breach but asserted that core Amazon and Amazon Web Services (AWS) systems remained unaffected. Montgomery clarified to TechCrunch that the compromised information was limited to employee contact details.
“Amazon and AWS systems remain secure, and we have not experienced a security event. We were notified about a security event at one of our property management vendors that impacted several of its customers, including Amazon. The only Amazon information involved was employee contact data such as work email addresses, desk phone numbers, and building locations,” stated Montgomery.
Implications of the Breach
This incident is part of a broader cyberattack campaign that has similarly affected numerous high-profile corporations like Lenovo, HP, HSBC, and McDonald’s. The MOVEit attacks have compromised data across more than 2,000 organizations, impacting the personal data of over 62 million individuals. This campaign represents one of the largest data theft operations in recent times, affecting a diverse array of victims, from private enterprises to governmental organizations.
The breach underscores a persistent vulnerability in supply chain security and emphasizes the need for robust vendor risk management strategies. Despite the initial MOVEit vulnerability being identified and patched in 2023, the repercussions of this security incident remain a critical concern for organizations. This situation starkly illustrates that even established companies with sophisticated cybersecurity safeguards can fall prey to vulnerabilities posed by third-party services.
