- Devin Nunes’ lawsuit with Twitter over parody accounts inspires more parody accounts Tuesday 7:53 PM
- Alexandria Ocasio-Cortez posts SpongeBob meme to diss Green New Deal adversaries Tuesday 7:23 PM
- Twitter blasts Benny Johnson over heinous Native American ‘socialist’ reservations take Tuesday 6:16 PM
- New Zealand arrests 2 for sharing video of mosque shooting Tuesday 4:44 PM
- ‘Queer Eye’ season 3 serves more frothy fun and cathartic realness Tuesday 4:30 PM
- Everyone is roasting this photo of Kourtney Kardashian in a bubble bath Tuesday 4:15 PM
- White House report has a lot of superheroes listed as interns Tuesday 4:06 PM
- Google to launch ‘Stadia’ cloud gaming service this year Tuesday 3:55 PM
- Amy Schumer addresses her ‘Growing’ pains in new Netflix special Tuesday 2:04 PM
- This Bitcoin tie is everyone’s favorite part of the Theranos documentary Tuesday 1:56 PM
- Trump’s social media guru gets suspended on Facebook Tuesday 1:51 PM
- YouTube time traveler says he saw a dinosaur—in the future Tuesday 1:47 PM
- Why is Netflix changing the viewing order for ‘Love, Death & Robots’? Tuesday 12:47 PM
- Elizabeth Holmes’ deep voice captivates and confuses the internet Tuesday 12:40 PM
- These cat purses have everything you need (including balls) Tuesday 12:22 PM
Apparent Amazon breach yields login credentials of over 80,000 Kindle users
Time to change your password (again).
A hacker claiming to have breached an Amazon server has released more than 80,000 usernames and passwords belonging to Amazon users after the online retail giant failed to heed his warnings about vulnerabilities in its servers.
The hacker, who goes by 0x2Taylor on Twitter, told the Daily Dot he had attempted to contact Amazon three days ago to bring to the company’s attention a significant security risk that he spotted in ones of its servers.
Contained on the server were the usernames and passwords of over 80,000 Amazon Kindle users, along with a considerable amount of information linked to each account including: city, state, ZIP code, phone number, and the IP address from the user’s last login.
Ox2Taylor said he tested a selection of passwords and confirmed they were valid.
Amazon responded in an email to Mic in the days following the alleged hack. “We have confirmed that this information did not come from Amazon’s servers, and that the accounts in question are not legitimate Amazon customer accounts,” the company states.
Ox2Taylor, however, maintains that he hacked the online purveyor of goods. According to Mic, the hacker stated that “the server was owned by Amazon and the funny thing is those logins did work but they quickly disabled all the accounts.”
If Ox2Taylor’s name sounds familiar, it’s because he was just in the news regarding another high-profile hack. Following the fatal shooting of Alton Sterling by the Baton Rouge police department, the department’s servers were breached thanks to some shoddy login credentials. Ox2Taylor took credit for that act as well, though it still isn’t clear if he is working alone or as part of a larger unit, and simply acts as the public face of the attacks.
Regarding this most recent apparent breach, the self-proclaimed hacker and security researcher said he was seeking a payment of $700 from Amazon to reveal the vulnerability and how to fix it. “They’re a big company and they should have enough money to have the proper security defenses,” he explained.
Amazon does not currently offer a public bug bounty program—a common practice for major sites and services to provide compensation to those who report vulnerabilities. Amazon does maintain contact information for reporting any potential vulnerabilities, but the dedicated page for vulnerability reporting makes no mention of payment.
Security researchers hoping to contact Amazon to notify the company of security flaws have previously observed the company’s suspicious lack of bug bounty program. According to Fire Bounty, a database that maintains information about different bug reporting programs, Amazon offers “thanks” and “gifts” to those who report vulnerabilities but doesn’t offer cash rewards.
When Amazon failed to initially acknowledge 0x2Taylor’s attempts to contact the company, he decided to simply release the information he’d allegedly obtained. He posted a screenshot of the information on Twitter before eventually uploading the full database to the cloud storage service Mega.
0x2Taylor acknowledged the potential harm the information could have to those who appear in the database, stating, “the data in there could be classed as sensitive” and suggesting users update their passwords—a practice that he advises all people do regularly.
Despite the concerns the information housed in database may present for users, 0x2Taylor decided to leak it as a means of getting Amazon’s attention. “I was trying to prove them privately but they were ignoring my warnings,” he said.
With the information now available publicly, 0x2Taylor said he’s no longer seeking any contact with Amazon. “At this point I don’t really want to help them,” he said. “I think I’ve done enough damage as it is.”
Amazon did not respond to request for comment at the time of publication.
Update 5:49pm CT, July 17: This piece has been updated to reflect Amazon’s statement refuting the hack’s legitimacy as well as ox2Taylor’s response.
AJ Dellinger is a seasoned technology writer whose work has appeared in Digital Trends, International Business Times, and Newsweek. In 2018, he joined Gizmodo as the nights and weekend editor.