I received one of these emails. It does appear to genuinely be from Amazon.
The interesting thing to me is that some people seem to have received the email from no-reply@amazon.com. I received it from order-update@amazon.co.uk
Perhaps that's just due to being on different TLD but seems interesting to me that I should receive one from the order-update@amazon.co.uk address.
no-reply@amazon.co.uk exists and would seem like the better email to send out such a notice from. I'm curious why they'd use the order update email system.
Maybe the name and email was revealed as part of a mis-configured ordering process? Perhaps revealed to sellers and not a 'breach' in the traditional sense?
I got one from order-update@amazon.co.uk too. Looked genuine -- didn't seem to be fishing for anything. However, the complete lack of information bothered me a lot.
This was one of the poorest emails I’ve received about a breach. I had to triple check it wasn’t an odd phishing attempt.
The email, in full:
——
Hello,
We’re contacting you to let you know that our website inadvertently disclosed your email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.
This makes me very sad. You'd think a company with so many employees and SO much of our data could do a better job at the very least telling us what happened in a decent way. I get that data leaks happen. It's unfortunate, but with so many people and so many complex systems, I'm not mad. But it's absolutely unacceptable to send such a poorly worded email.
> You'd think a company with so many employees and SO much of our data could do a better job at the very least telling us what happened in a decent way
You are not their primary concern or interest. Market share and margins are. You are 100% replaceable within seconds on their platform.
This is the unfortunate truth. You have to stand up for yourself and own your own data. I like to hope that over the next few years we are reigniting the technologically literate into self-hosting and providing small hosting services for their less technologically literate connections. I think the secret to making this happen is through PKI edcutaional initiatives and simpiliar access to administration automation. I live in NYC, and my wild imagination sees a world were each building has a technically literate "supervisor" that is making a stable profit off hosting the basics for tenants. It's a pipe dream I know, but that's not going to stop me taking what steps I can to make that happen.
Counterpoint: I haven't got one, despite using both the UK and US Amazon website regularly. So it remains to be seen what happened, and if Amazon is to blame.
Edit: Asked around, so far, none of my friends and family who use the UK site exclusively have gotten an email.
Could also be phishing gone wrong? Because what better time to do it than close to Black Friday?
It looks like it has something to do with being a _seller_ on Amazon. Had the email been sent by someone with a clue, it would have been explicit. Instead everyone is just speculating (including me).
I didn't get that from the thread title ("user's e-mails") or the Register article [0] which says:
> Amazon's UK press office acknowledged that the email was genuine, saying only: "We have fixed the issue and informed customers who may have been impacted."
and
> [...] this is not a breach in the sense of a hack while maintaining that the snafu is an inadvertent technical error and that they emailed customers from an abundance of caution.
Looks like they've ballsed up the incidence response quite badly, and seems to be Amazon's fault.
11 comments
[ 7.9 ms ] story [ 38.1 ms ] threadThe interesting thing to me is that some people seem to have received the email from no-reply@amazon.com. I received it from order-update@amazon.co.uk
Perhaps that's just due to being on different TLD but seems interesting to me that I should receive one from the order-update@amazon.co.uk address.
no-reply@amazon.co.uk exists and would seem like the better email to send out such a notice from. I'm curious why they'd use the order update email system.
Maybe the name and email was revealed as part of a mis-configured ordering process? Perhaps revealed to sellers and not a 'breach' in the traditional sense?
The email, in full:
—— Hello,
We’re contacting you to let you know that our website inadvertently disclosed your email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.
Sincerely, Customer Service http://Amazon.com ——
No template; not addressed to me; no details. Capitalized domain name.
The email is checking the “we have to notify” box and not an inch more.
You are not their primary concern or interest. Market share and margins are. You are 100% replaceable within seconds on their platform.
Edit: Asked around, so far, none of my friends and family who use the UK site exclusively have gotten an email.
Could also be phishing gone wrong? Because what better time to do it than close to Black Friday?
> Amazon's UK press office acknowledged that the email was genuine, saying only: "We have fixed the issue and informed customers who may have been impacted."
and
> [...] this is not a breach in the sense of a hack while maintaining that the snafu is an inadvertent technical error and that they emailed customers from an abundance of caution.
Looks like they've ballsed up the incidence response quite badly, and seems to be Amazon's fault.
[0] https://www.theregister.co.uk/2018/11/21/amazon_data_breach/