Hacker claims to have breached Amazon server, dumped data on nearly 84,000 Kindle users

After a person claiming to be a security researcher “declared war on the Baton Rouge police” and took credit for the data breach after the shooting death of Alton Sterling, he took aim at Amazon.

In a Twitter direct message, hacker @0x2Taylor told Mic that he and a buddy “’breached a server’ owned by Amazon that contained database files with more than 80,000 Kindle users’ information.”

The data included names, addresses, passwords, user agents, IP addresses and more. He claimed, “When they first got Kindles and set them up, all their stuff was being logged and put into a database.” 0x2Taylor sent Mic emails and passwords to try to “legitimize the breach.”

0x2Taylor claims to have informed Amazon; he posted a screenshot to prove he had the data and attempted to extort $700 from Amazon in exchange for not disclosing the breach “because the attack was easy.” He allegedly hoped this would push Amazon into implementing better secure measures.

Although he “personally” didn’t want to leak the data, he said, “If I don’t receive a payment from them the data will be posted online along with an older dump.”

Amazon reportedly ignored his warning, so he uploaded the data to Mega cloud storage and tweeted a link to the leak.

He called Amazon “a big company and they should have enough money to have the proper security defenses.” He added, “I was trying to prove [to] them privately but they were ignoring my warnings.”

Tony Gambacorta, vice president of operations at cybersecurity firm Synack, told Mic that the data seems to be legit.

Looking through the leaked information, Gambacorta said he was “definitely” able to see phone numbers, street addresses, email addresses, the last time a user logged in (7:33 p.m. on June 5th of this year, meaning this isn’t old data), how many times that user tried to log in, how many times he successfully logged in and his login source IP address.

Yet Gambacorta called it more of a privacy issue than a security issue, since it seems likely the passwords were “auto-assigned by a system.” He added, “I wouldn’t want to find my name on this list.”

Dumped data for actual Kindle users or not?

I checked out the data, too, choosing five names at random. Google Maps placed three of the addresses in locations without houses, such as in the middle of the woods or half way between two houses down a country road.

As for phone numbers for those five people, none of the calls connected. Three gave an error message about the “number or code you dialed is incorrect,” one had a weird fast busy signal, and the fifth resulted in “the person you called is unavailable right now.”

All of the email addresses seem to be in a weird format, such as johndoe6lak5m5@hotmail.com, johndoevmv69ok@gmail.com, johndoe21m5rac@yahoo.com. For each of the five names, the corresponding passwords were way too random, too secure, ranging from 8 to 11 capital letters mixed with numbers. Of course, that was testing only five of the reportedly 83,899 individuals included in the data dump.

Brian Wallace, aka @botnet_hunter, is a security researcher and member of the Cylance SPEAR team. He examined the Amazon data and found quite a few problems. He believes “the data does not belong to legitimate users and there is no need for concern to Amazon users.” The data has been generated, Wallace said, but he is not sure if it is “fake data or bot accounts.”

Wallace told Security Affairs that the 83,899 email addresses “only resided on Gmail, Yahoo or Hotmail” and the passwords were “random upper case letters and numbers, with no words and no occurrences of popular passwords.”

He added that the user agents also “did not represent legitimate user behavior” and appear to have been “picked from a short list at random.” A large amount of the “last IP” addresses belong to ColoCrossing, and at least some of the users would not have connected from a data center.

In other words, don’t sweat it. Wallace concluded:

Based on this evidence, I believe the data released is not representative of actual Amazon users, but instead this information was generated. It is not clear whether this information was generated by the individual who released the information, or if it was generated by a third party, and that information was then obtained by the individual who released it.