I received an email this morning, purportedly from Amazon, about my account. It said, “We’re contacting you to let you know that our website inadvertently disclosed your email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.”
My first thought was that it was a phishing attempt, particularly since there was no https in the link, and the link capitalized the “A” in amazon.com. But inspection of the link itself and the header/path to the email made me wonder whether it was actually a real email from Amazon. If so, it’s totally unsatisfactory. I took to Twitter to inquire, and eventually sent @AmazonHelp a message:
Good morning, @AmazonHelp. Not to be rude, but if the email below is legit, it is unsatisfactory. For how long was my email address exposed? To whom was it exposed? The whole world? How did it wind up exposed? Could anyone seeing it also see orders linked to that email address?
Good morning, @AmazonHelp. Not to be rude, but if the email below is legit, it is unsatisfactory. For how long was my email address exposed? To whom was it exposed? The whole world? How did it wind up exposed? Could anyone seeing it also see orders linked to that email address? pic.twitter.com/xkamRjhNDB
— Dissent Doe, PhD (@PogoWasRight) November 21, 2018
In response to my tweet, data protection advocate @ScottMcCready pointed out that wishlists are public if you know the individual’s address.
Amazon did not immediately respond. If I get a response or explanation from Amazon, I’ll update this. If the email is a fake, it’s a very puzzling one.
Update 1: People are frustrated by Amazon’s lack of meaningful answers. See this report in The Register. Catalin Cimpanu of ZDNet also reports that he has gotten only canned answers to inquiries.
Update 2: Amazon seems unmoved by the outpouring of disgust over their seriously inadequate incidence response. Yes, something happened, but they won’t explain it to any of the news outlets that have contacted them (including this site, whose tweets are being retweeted by unhappy consumers). And telling us you fixed something doesn’t tell us how many people might have accessed our information or what else they could have found out from that.
This is just unacceptable, Amazon. I won’t be shopping on your site again until I know more.