A trove of data on 80,000 users did not come from Amazon’s systems, the company said, and may have been automatically generated
E-commerce giant Amazon said a trove of user data recently published online did not come from its servers, while a computer security analyst said the data appeared to have been automatically generated.
The data, supposedly concerning more than 80,000 users of Amazon’s Kindle reading device, was published on Friday by a hacker who claimed to have asked for $700 (£543) from Amazon in order to withhold the leak, but who said Amazon had refused to pay.
“I am Amazon, I fail at securing data for 80K users. I ignore warnings. Be like me today,” the hacker, using the handle 0x2Taylor, wrote in a Twitter post before publishing a 597.4 MB file containing the data.
The data appears to contains email, password, street address, city, state, telephone number and other data on Kindle users, according to experts who viewed the file.
Amazon, however, said the data was not legitimate.
“We have confirmed that this information did not come from Amazon’s servers, and that the accounts in question are not legitimate Amazon customer accounts,” the company stated.
Brian Wallace, a security researcher with Cylance, said all or most of the data appeared to have been automatically generated, and could have been either false data or accounts set up by Internet bots.
The email addresses were found solely on Gmail, Yahoo or Hotmail services and all followed the same format, while the passwords all consisted of random upper-case letters and numbers, with no words or occurrences of popular passwords, he said.
The physical addresses also appeared to be locations chosen at random, he said.
He said the data could have been generated either by the hacker who released it or by a third party.
Are you a security pro? Try our quiz!