Online giant Amazon has hit back at claims that a hacker was able to steal over 80,000 user records belonging to Kindle users from one of its servers.
On 8 July, a hacker using the pseudonym 0x2Taylor posted a link on Twitter to a data dump that appeared to consist of thousands of customer credentials – including names, passwords, email addresses, addresses and telephone numbers.
After widespread media coverage stating the online firm had suffered a leak, Amazon has since denied the data is real. In a statement, it said: "We have confirmed that this information did not come from Amazon's servers, and that the accounts in question are not legitimate Amazon customer accounts."
Previously, 0x2Taylor claimed to have demanded $700 (£540) from Amazon to stop the publication of the information and said it was only leaked after the firm ignored his messages. "I am Amazon, I fail at securing data for 80K users. I ignore warnings. Be like me today," he posted to Twitter before uploading the data on a cloud service called Mega.
In messages to technology website Mic, the hacker attempted to explain how the 'hack' took place. He said he and a friend had "breached a server" and added: "When [users] first got Kindles and set them up, all their stuff was being logged and put into a database." He did not elaborate further. "Personally I don't want to leak the data," he claimed at the time.
After the data was published, Tony Gambacorta, vice president of operations at cybersecurity firm Synack said he believed the dump was real – adding to mounting speculation the credentials were from inside the computer networks of Amazon.
He said: "Given all this data, I would have no reason to believe this isn't valid. On a surface level, this seems like this would be legit." Others, however, were not so sure.
Speaking with Security Affairs, Brian Wallace, security researcher with Cylance, said that upon analysis the legitimacy of the data was highly questionable. Ultimately, he said the leak should be of "no concern" to Amazon Kindle users.
Same hacker as Baton Rouge police department?
"I believe the data released is not representative of actual Amazon users, but instead this information was generated," he said. "It is not clear whether this information was generated by the individual who released the information, or if it was generated by a third party, and that information was then obtained by the individual who released it."
As previously reported, the same hacker took credit for a recent data leak of information from the Baton Rouge police department following the fatal shooting of Alton Sterling. It is not believed this incident involved a great deal of hacking and instead has been blamed on weak passwords on the login page of an internal database.
"The website had its permissions set wrong and shouldn't have been left open for the public to see this data," said security intelligence analyst Jamie-Luke Woodruff. "They seem to have obtained credentials to the Oracle server in which they extracted the database information. But they didn't set out to get the data that they obtained, it was just random that the credentials was found."