Company remains mum on key details, including where breach happened and for how long.
Some Amazon customers woke up on Wednesday to an email saying a technical error caused the site to disclose their names and email addresses. While Amazon officials have said the emails are authentic, they aren’t providing additional details beyond what’s in the extremely terse communication.
Wednesday’s email doesn’t say how long customers’ personal details were disclosed or precisely where on the site the disclosure took place. It’s also not clear how many customers received the email and whether a geographic location, specific purchase, or other common thread caused certain customers to be affected.
Below is the text of an email sent to one Amazon customer:
Sent: 21 November 2018 10:53
Subject: Important Information about your Amazon.com Account
We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.
An Amazon representative told Ars, “We have fixed the issue and informed customers who may have been impacted.” However, the representative declined to provide additional details. On background, the company is saying that the disclosure wasn’t the result of a website or systems breach but rather a technical error that is now fixed. The company is emailing customers out of an abundance of caution to let them know their email addresses and names were disclosed.
Translation: the disclosure was likely the result of a programming error or bug that made select Amazon customers’ names and addresses available either to the public at large or specific people. There’s no reason to believe the information disclosed included payment card data, physical addresses, past purchases, or other personal details. For however long the disclosure happened, it has now been fixed.
While the disclosure is limited and has since been contained, Wednesday’s email is frustrating because it omits details that are key to assessing the severity of the event. It’s not asking too much to want Amazon to say precisely where and how the information was disclosed and for how long—those details matter. A disclosure that lasted for only a few minutes and shared details with a single random person is different from one that published names and email addresses on Amazon’s site for an extended period.
It’s not clear why Amazon is notifying customers of the event but declining to provide such basic information. Notably, Wednesday is the day before the four-day Thanksgiving holiday in the US. Companies often use the pre-Thanksgiving Wednesday to make legally obligated disclosures that reflect poorly on the company or its management.
Still, as inadvertent disclosures of personal information go, the one Amazon is revealing seems relatively limited. It’s also a reminder that it’s never a bad idea to use a separate email address for accounts with Amazon and other services. People can always set up the alternate address to forward to their main address. In the event the alternate address becomes public, people can delete it and set up a new one.