While Amazon has confirmed that attackers revealed some of its employee’s data, the actors behind the leak say they want data owners to take user privacy seriously.
The MOVEit Transfer hack, among the biggest last year, continues to haunt companies. A self-proclaimed data hacktivist has now published millions of user records on a data leak forum.
Amazon, the company with the most records exposed in the leak, nearly 3 million, confirmed that the data breach exposed phone numbers, email addresses, and office locations of its employees. However, Amazon and AWS systems were not impacted by a security incident, the company said in a statement sent to Cybernews.
“We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon. The only Amazon information involved was employee work contact information, for example work email addresses, desk phone numbers, and building locations,” Amazon's spokesperson told Cybernews.
According to security firm Hudson Rock, other major names involved in the leak include banking behemoths HSBC, UBS, and City National Bank, as well as tech giants HP and Lenovo. Even fast food chain McDonald’s was on the list.
While the person or persons who leaked the information claims high motivations, their actions could have a cascading effect on exposed organizations.
Why is the Amazon leak dangerous?
Even though the leak reveals information obtained from past data breaches, Cybernews researchers believe that organizing past data significantly assists actors with malicious intent.
“The leaks’ author downloaded and processed previously breached and leaked information, making it easier to understand and navigate, lowering the effort required for malicious actors to abuse it in larger campaigns,” our team said.
Attackers may use the leaked information to concoct social engineering, phishing, and credential-stuffing attacks, which could lead to subsequent breaches within the companies whose data was revealed.
Earlier this year, Cybernews discovered a similar organized dataset, which we dubbed the Mother of all Breaches (MOAB). It contained 26 billion records over 3,800 folders, with each folder corresponding to a separate data breach.
Researchers believe organizations that don’t have robust cybersecurity policies are in the most danger, as it takes significant effort to cyberproof systems against past attacks.
“The leaks’ author downloaded and processed previously breached and leaked information, making it easier to understand and navigate, lowering the effort required for malicious actors to abuse it in larger campaigns.”
The Cybernews research team.
Self-proclaimed data security evangelist
Interestingly, attackers who posted the vast dataset on a well-known data leak forum tried to paint their efforts in an awareness-raising light.
“First, let me make it clear to the world. I am not a hacker! […] I am not affiliated with any ransom group or hacker group. I do not sell data. I do not buy data,” the data leaker commented in what they called a “manifest.”
The person or persons operating under the moniker Nam3L3ss said they monitor the dark web for exposed online cloud services. According to Nam3L3ss, if organizations and government agencies are “stupid enough” not to encrypt transferred data, it's their own fault.
“Those that are sending encrypted data have a responsibility to make damn sure that a third party is keeping it encrypted,” the data leaker said in their manifesto.
While it’s true that companies ought to take user data privacy seriously, there are less nefarious ways to approach the issue. One example, albeit attracting far less attention, is to inform the impacted companies that their information was exposed.
What companies were exposed?
According to Hudson Rock, tens of companies were exposed, with millions of records revealed. However, not all organizations were impacted equally, with some having several thousand records exposed, and others – from half a million to 2.8 million.
Here’s the full list of impacted organizations reviewed by Hudson Rock:
- Amazon (2,86 million records)
- MetLife ( 585K)
- Cardinal Health ( 407K)
- HSBC (281K)
- Fidelity (fmr.com) (124K)
- U.S. Bank (114K)
- HP (104K)
- Canada Post (70K)
- Delta Airlines ( 57K)
- Applied Materials (AMAT) (53K)
- Leidos (53K)
- Charles Schwab (49K)
- 3M (49K)
- Lenovo ( 45K)
- Bristol Myers Squibb ( 37K)
- Omnicom Group (37K)
- TIAA ( 24K)
- UBS ( 20K)
- Westinghouse (18K)
- Urban Outfitters (URBN) (18K)
- Rush University (16K)
- British Telecom (BT) (15K)
- Firmenich (13K)
- City National Bank (CNB) (9K)
- McDonald’s (3K)
So far, only Amazon has confirmed the data leak, with 404 Media reporting the confirmation first. We’re contacting other companies for confirmation and will include their responses after obtaining a reply.
What’s the MOVEit Transfer hack?
Last year, the now-defunct ransomware gang Cl0p exploited a zero-day bug impacting MOVEit Transfer, a managed file transfer software. The now-patched zero-day bug affected MOVEit Transfer’s servers, allowing attackers to access and download the data company customers stored there.
Organizations use the MOVEit service to send and receive files from their clients using secure channels, which means attackers could access sensitive data.
The attack affected Multiple companies, including Shell, ING Bank, Deutsche Bank, Postbank, American Airlines, Radisson Americas, and many others. According to cybersecurity firm Emisoft, over 2,700 organizations were impacted, exposing a whopping 95 million users.
The attack’s return to headlines 15 months after it first took place is a stark reminder of how hard it is to guard against third-party provider hacks, Joe Silva, the CEO of cybersecurity firm Spektion said.
“By the time any company reacts to third-party software risks and vulnerabilities, they're already being actively exploited while just being publicly disclosed,” Silva said.
Updated on November 12th [12:55 p.m. GMT] with a statement from Amazon.
Your email address will not be published. Required fields are markedmarked