Eighteen months after the massive cyberattack that affected countless organizations, we’re seeing new victims emerge, including Amazon. They confirmed that data regarding over two million employees has been leaked.
The breach occurred because of a critical SQL injection vulnerability—CVE-2023-34362—in the MOVEit Transfer tool. This flaw was patched in late May 2023, but the Cl0p ransomware gang exploited it to orchestrate a widespread attack. Notable victims included the BBC, Boots, and British Airways, all compromised through the payroll and HR IT specialist Zellis.
Recently, researchers at Hudson Rock revealed a significant data leak impacting at least 25 organizations. An individual using the name Nam3L3ss posted the compromised data to a dark web forum in CSV format. Alon Gal from Hudson Rock noted that the data included employee records from major companies like HP, HSBC, and McDonald’s, with Amazon providing over 2.8 million records. This dataset includes sensitive information such as employee contact details and departmental assignments, raising concerns about potential social engineering attacks.
Gal stressed the credibility of the leaked information, as Hudson Rock verified it by cross-referencing leaked emails with LinkedIn profiles and emails linked to malware infections. Amazon’s senior public relations manager, Adam Montgomery, confirmed the breach, stating they learned about a security incident involving one of their property management vendors, which affected several clients, including Amazon. He emphasized that only contact information was exposed, and assured that their systems remained secure.
Nam3L3ss, in posts shared with Computer Weekly, claimed they’re not a hacker and that their role is simply to monitor data leaks, not to buy or sell information. They pointed fingers at companies and government agencies for not adequately protecting their data during transfers. Nam3L3ss expressed a desire to hold these entities accountable for their leaking practices.
Whether there’s any connection between Nam3L3ss and the Cl0p ransomware group remains uncertain. Statements from threat actors should always be met with skepticism. Vlad Mironescu, from Searchlight, noted that Nam3L3ss could simply be resharing data from previous breaches, particularly from victims of the MOVEit attack. While they’re not selling the data, freely posting it increases risk, as it can attract malicious actors.
Kevin Robertson, COO at Acumen Cyber, highlighted how data circulates on the dark web, often resurfacing long after the initial breach. The MOVEit attack was a landmark incident, impacting thousands of organizations and billions of records. Even though it has received less attention this year, the leak reveals that attackers are still profiting from the data, indicating the ongoing threat from stolen information in the cyber landscape.