Cyber Incident Victim: Amazon.com Inc.
Date:
Jul 2016
Location:
United States of America
Summary
A hacker claimed to compromise an Amazon server, exposing over 80,000 user credentials including usernames, passwords, geographic details, phone numbers, and recent login IP addresses. The individual asserted the credentials were functional until the company disabled affected accounts, though Amazon denied the data originated from its systems or involved legitimate customer accounts. The hacker attempted private disclosure of the vulnerability and sought compensation, criticizing the lack of a formal bug bounty program. After receiving no response, the data was leaked publicly to pressure the company into addressing security concerns.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In July 2016, a hacker using the alias 0x2Taylor claimed to have breached an Amazon server containing sensitive customer data. The compromised information included over 80,000 Amazon Kindle usernames and passwords, along with associated personal details such as city, state, ZIP code, phone number, and the IP address from each user's last login. 0x2Taylor stated he discovered a significant security vulnerability in one of Amazon's servers and attempted to notify the company privately three days prior to the leak. When Amazon failed to respond to his warnings, the hacker publicly released the credentials. He verified the validity of a sample of passwords before disclosure and later claimed Amazon disabled all affected accounts shortly after the leak. 0x2Taylor demanded $700 from Amazon to disclose the vulnerability and its remediation, criticizing the company's lack of a formal bug bounty program despite its resources. The hacker acknowledged the sensitivity of the exposed data, advising users to change their passwords as a precautionary measure.
Amazon disputed the hacker's claims in a statement to media outlets, asserting the leaked credentials did not originate from their servers and that the accounts were not legitimate Amazon customer accounts. This contradicted 0x2Taylor's assertion that the compromised server belonged to Amazon and that the credentials functioned prior to being disabled. The incident highlighted Amazon's absence of a public bug bounty program offering financial rewards, unlike industry peers, with its vulnerability reporting page only mentioning non-monetary compensation like "thanks" and "gifts." Security researchers had previously noted challenges in reporting flaws to Amazon. 0x2Taylor, who also claimed responsibility for breaching Baton Rouge Police Department servers following the Alton Sterling shooting, stated he leaked the Amazon data solely to force corporate attention after being ignored. The full extent of user impacts remained unclear, though exposed personal information created potential risks beyond account access. Amazon did not provide additional commentary to the Daily Dot regarding the incident.