Amazon tells some customers their email addresses were exposed, but provides few details

Amazon.com informed some customers that their names and email addresses had been "inadvertently disclosed" as a result of a "technical error." The company said it had "fixed the issue" but did not say how many users were affected or where and how emails had been exposed.

By Tony Romm

Nov. 21, 2018 12:40 PM PT

The Washington Post

Amazon.com informed some customers Wednesday that their names and email addresses had been “inadvertently disclosed” as a result of a “technical error” but declined to provide further details about the security incident.

The e-commerce giant confirmed it sent the messages, adding in a subsequent statement that it had “fixed the issue.” Amazon did not say how many of its users had been affected or where and how the names and email addresses had been exposed. It said only that its website and other systems had not been breached.

(Amazon Chief Executive Jeff Bezos owns the Washington Post.)

Amazon’s limited disclosure comes days before the Black Friday and Cyber Monday holiday shopping frenzies, ahead of a season when holiday e-commerce sales are estimated to total more than $123 million, according to EMarketer.

The company’s handling of the security problem drew sharp criticism on social media.

Among its own sellers, some took to the company’s forums to complain about Amazon’s tight-lipped handling of the matter. “Who knows what they’re not disclosing about this,” one user wrote. “Hopefully nothing ...”

Others questioned Amazon after it told users there’s “no need for you to change your password or take any other action,” fearing the potential that hackers still might try to use their names and email addresses for nefarious purposes, including phishing scams.

It’s not the first time Amazon has run into security troubles. In October, it reportedly fired an employee who inappropriately shared customers’ email addresses with a third-party seller. The incident, which Amazon said it was working with law enforcement to investigate, similarly resulted in messages to customers indicating their email addresses had been exposed.

The latest incident could embolden those who would like to see businesses disclose more information about security incidents to their customers. Over the past year, tech giants such as Facebook and Google have experienced more serious mishaps affecting their users’ personal data.

The federal government has no law requiring companies to tell consumers when their information has been stolen or compromised.

Most states do have rules, but they generally cover only incidents that involve the theft of sensitive personal information, such as driver’s license numbers or credit card information. That includes Amazon’s home state of Washington, where companies must inform residents of data breaches if the breach includes the unauthorized disclosure of names along with information like Social Security numbers. Similarly, California’s law would not cover an incident in which only names and email addresses are taken.

UPDATES:

12:40 p.m.: This article was updated with information about an October incident and about federal and state laws.

This article was originally published at 10 a.m.