A hacker claiming to have breached an Amazon server has released more than 80,000 usernames and passwords belonging to Amazon users after the online retail giant failed to heed his warnings about vulnerabilities in its servers.
The hacker, who goes by 0x2Taylor on Twitter, told the Daily Dot he had attempted to contact Amazon three days ago to bring to the company’s attention a significant security risk that he spotted in ones of its servers.
Contained on the server were the usernames and passwords of over 80,000 Amazon Kindle users, along with a considerable amount of information linked to each account including: city, state, ZIP code, phone number, and the IP address from the user’s last login.
Ox2Taylor said he tested a selection of passwords and confirmed they were valid.
Amazon responded in an email to Mic in the days following the alleged hack. “We have confirmed that this information did not come from Amazon’s servers, and that the accounts in question are not legitimate Amazon customer accounts,” the company states.
Ox2Taylor, however, maintains that he hacked the online purveyor of goods. According to Mic, the hacker stated that “the server was owned by Amazon and the funny thing is those logins did work but they quickly disabled all the accounts.”
If Ox2Taylor’s name sounds familiar, it’s because he was just in the news regarding another high-profile hack. Following the fatal shooting of Alton Sterling by the Baton Rouge police department, the department’s servers were breached thanks to some shoddy login credentials. Ox2Taylor took credit for that act as well, though it still isn’t clear if he is working alone or as part of a larger unit, and simply acts as the public face of the attacks.
Regarding this most recent apparent breach, the self-proclaimed hacker and security researcher said he was seeking a payment of $700 from Amazon to reveal the vulnerability and how to fix it. “They’re a big company and they should have enough money to have the proper security defenses,” he explained.
Amazon does not currently offer a public bug bounty program—a common practice for major sites and services to provide compensation to those who report vulnerabilities. Amazon does maintain contact information for reporting any potential vulnerabilities, but the dedicated page for vulnerability reporting makes no mention of payment.
Security researchers hoping to contact Amazon to notify the company of security flaws have previously observed the company’s suspicious lack of bug bounty program. According to Fire Bounty, a database that maintains information about different bug reporting programs, Amazon offers “thanks” and “gifts” to those who report vulnerabilities but doesn’t offer cash rewards.
When Amazon failed to initially acknowledge 0x2Taylor’s attempts to contact the company, he decided to simply release the information he’d allegedly obtained. He posted a screenshot of the information on Twitter before eventually uploading the full database to the cloud storage service Mega.
0x2Taylor acknowledged the potential harm the information could have to those who appear in the database, stating, “the data in there could be classed as sensitive” and suggesting users update their passwords—a practice that he advises all people do regularly.
Despite the concerns the information housed in database may present for users, 0x2Taylor decided to leak it as a means of getting Amazon’s attention. “I was trying to prove them privately but they were ignoring my warnings,” he said.
With the information now available publicly, 0x2Taylor said he’s no longer seeking any contact with Amazon. “At this point I don’t really want to help them,” he said. “I think I’ve done enough damage as it is.”
Amazon did not respond to request for comment at the time of publication.
Update 5:49pm CT, July 17: This piece has been updated to reflect Amazon’s statement refuting the hack’s legitimacy as well as ox2Taylor’s response.