A hacker using the handle 0x2Taylor has released a data dump containing information from 80,000 Amazon Kindle users. The dump is being hosted by the file hosting site MEGA. 0x2Taylor had contacted Amazon before leaking the data to inform them of a security weakness, but was ignored. He later threatened to leak the data if Amazon didn't pay him $700 dollars, and was again ignored. He has stated, "Personally I don't want to leak the data." Despite his stated reluctance, he did eventually leak the data in order to get Amazon's attention.
The dump appeared to contain usernames and encrypted passwords for 80,000 accounts. An analysis suggests that the usernames are genuine, but the passwords all appear to have a similar structure. The data mining company Hacked-DB suggests that they aren't passwords at all, but rather session keys, which resemble those that can be found in Amazon cookie data.
In addition to usernames and probable session keys, the dump contains personal data associated with the accounts. Phone numbers, street addresses, email addresses, and ip addresses were all included in the dump. The dump even includes the most recent date that an account successfully logged in. The dates included in the file are as recent as June of this year, so the dump contains fairly recent information.
The same hacker responsible for this dump has also claimed credit for hacking the Baton Rouge Police Department just hours prior to the Amazon leak. The initial leak contained 50,000 police records, and an additional 58,000 records were later leaked. The leaks contained names, addresses, emails and phone numbers. 0x2Taylor gave his reason for the hack by stating, "The reason I hacked the database was because of what that police officer did to Alton Sterling. There was no need to shoot him when they had him pinned down. He wasn't trying to fight them."
A writer at Network World suggests that the leaked data may be fake or at least generated in some way. The writer picked five accounts at random and checked the data associated with it. Google maps placed three of the addresses in locations with no houses, like the middle of the woods, and two addresses were halfway between two houses. She attempted to call the five phone numbers, but none of the calls could get through. Three of the numbers gave a message that said, "number or code you dialed is incorrect," one number gave a busy signal and the last one gave the message, "the person you called is unavailable right now."
The writer also considered the format of the email addresses to be unusual. All the emails began with a name but were followed by a random string of letters and numbers. The passwords were also unusual being made up of random uppercase letter and numbers. Such passwords are fairly unusual because they would be difficult to remember. As mentioned above, Hacked-DB has an alternative explanation for the unusual passwords, and suggests that they aren't passwords at all, but it makes no mention of irregularities in other data fields.
Brian Wallace, a researcher at the security firm Cylance, came to the same conclusion. He notes some of the same issues including the format of the emails and passwords. He also notes that a large majority of the IP addresses come from ColoCrossing, a company which provides data centers as a service. Based on this he concludes, "I believe the data released is not representative of actual Amazon users, but instead this information was generated. It is not clear whether this information was generated by the individual who released the information, or if it was generated by a third party, and that information was then obtained by the individual who released it."
Thanks to Twitter user @BaldFlavor for bringing the Network World story to our attention.
If you have an Amazon account, are you concerned about Amazon's security? Leave your comments below.