Amazon confirms employee data breach tied to 2023 MOVEit Hack
WASHINGTON, UNITED STATES — A significant data breach has exposed work-related information of Amazon employees through a third-party vendor’s compromised system, adding to the growing list of organizations affected by the widespread MOVEit hack campaign.
Details of Amazon emsployee data breach
The breach surfaced when a hacker, known as “Nam3L3ss,” posted on BreachForums, claiming possession of approximately 2.8 million Amazon employee records. The exposed data includes work email addresses, desk phone numbers, building locations, and job titles.
The hacker claimed that the information was obtained through the 2023 MOVEit hack, which exploited a vulnerability in Progress Software’s MOVEit file transfer tool.
Amazon clarifies the scope of the breach
Amazon confirmed the breach in a statement but emphasized that its internal systems were not compromised. The company clarified that the data leak occurred through a third-party property management vendor that manages employee information for several companies.
The e-commerce giant also reassured clients that only work-related contact details were exposed—sensitive personal information such as Social Security numbers and financial data were not affected.
Importantly, the company noted that the breach primarily involved employee contact information and has not affected Amazon itself and Amazon Web Services (AWS).
Impact on other major companies
The same hacker has reportedly leaked employee data from other prominent organizations, including BT, McDonald’s, Lenovo, Delta Airlines, and HP.
These breaches appear to stem from the same real estate services vendor responsible for managing Amazon’s employee data.
Outsourcing firms among MOVEit hack victims
Several major outsourcing firms were also significantly impacted by the MOVEit hack:
- Maximus, a U.S. government services contractor, emerged as one of the largest victims, with up to 11 million individuals’ protected health information compromised.
- The U.S. division of Serco, which primarily works with government agencies, confirmed they were affected by the hack in June 2023. More than 10,000 individuals’ personal information was stolen from their third-party vendor’s MOVEit server.
- Zellis, a payroll and HR provider, saw data from high-profile clients such as British Airways and BBC exposed.
- Aon, a professional services firm, had information from around 100 clients compromised in the attack.
These outsourcing firms were particularly vulnerable because they handled sensitive data for multiple clients, which created a cascading effect when breached.
MOVEit Hack: One of the largest in history
The MOVEit hacking campaign is attributed primarily to the Cl0p ransomware group and has affected nearly 2,800 organizations globally. The breach has compromised sensitive data belonging to nearly 100 million individuals worldwide, making it one of the most extensive cyber incidents in recent history.
With its wide-reaching impact on both private companies and government contractors, the MOVEit hack continues to highlight vulnerabilities in third-party software systems used by large organizations.
