Pierluigi Paganini July 09, 2016

The hacker behind the Twitter account 0x2Taylor is claiming to have breached one of the Amazon servers containing 80,000 login credentials of Kindle users.

The hacker 0x2Taylor is claiming to have breached an Amazon server containing login credentials of Kindle users. As a proof the hack, the hacker leaked online more than 80,000 credentials belonging to Amazon users, he also explained that the company ignored his warnings about the existence of vulnerabilities in its servers.

0x2Taylor on Twitter, explained to the Daily Dot he had reported to Amazon the flaws three days ago, but without success.

The hacked server contained the 80,000 Amazon Kindle user data, including login credentials, city, state, ZIP code, phone number, and the IP address of the user’s last login.

0x2Taylor also confirmed to have verified the validity of the credentials, he also added that he asked $700 payment from Amazon, but the company doesn’t run a bounty program neither acknowledges the hacker’s attempts to contact the company.

“They’re a big company and they should have enough money to have the proper security defenses,” he added. “I was trying to prove them privately but they were ignoring my warnings,” “At this point I don’t really want to help them,” he said. “I think I’ve done enough damage as it is.”

The hacker shared screenshot of the information on Twitter before to upload the full database to the Mega cloud storage service.

0x2Taylor is the same hacker who took credit for the data breach suffered by the Baton Rouge police department after the shooting of Alton Sterling.

0x2Taylor suggested users to update their passwords as soon as possible, inviting them to do it regularly.

Let’s wait for a reply from Amazon. I personally consider useful for companies to operate a bounty program, a flaw reported by white hat hacker could allow any firm to save million of dollar losses resulting from a data breach.

UPDATE July 10th, 2016

I reached the Security Researcher at the Cylance SPEAR Team Brian Wallace (@botnet_hunter) for a comment:

“As a security researcher and an Amazon customer, I had a natural curiosity about the supposed breach. Upon inspecting the data, I found that the data did not match expectations of normal user data. The email addresses for the user accounts all appear to match the same format. The format consists of the first initial, then last name followed by a random sequence of letter and numbers. Additionally, all of the email addresses resided on only gmail.com, yahoo.com, or hotmail.com. Seeing that, I counted up the occurrences of each domain used, and found that of the three domains, each one showed up roughly one third of the time. This is not what one would expect to see in a data dump, but this is what one would expect to see if these three domains were picked at random 83,899 times. Given this evidence that the data was generated, I continued to look for further evidence that the information was not representative of legitimate users.

The data provides values for the “last IP” of the user, presumably representing the IP address of the user the last time they logged in. Upon inspecting the IP addresses, I found that a large majority of the IP addresses belong to ColoCrossing, a company which provides datacenters as a service. While it is likely that some Amazon users may be connecting from datacenters, one would expect that these would be the vast minority, and not the majority.

When inspecting the “user_agent” field, presumably the User Agent field provided by the web browser of the user the last time they logged in, I found this also did not represent legitimate user behavior. Similarly to the email domains, it appears that these user agents were picked from a short list at random, as the counts of each user agent were roughly equal. Normally, one would expect to some popular browsers, some unpopular browsers, and far more than 22 different user agents.

The passwords listed in the data are also not representative of legitimate users. All passwords appear to consist of random upper case letters and numbers, with no words and no occurrences of popular passwords. One may assume that some users may randomly generate passwords, but it is exceedingly unlikely that all 83,899 users generated passwords in the same way.

I have not tested any of these user accounts on Amazon.com as that could potentially incur legal risk.

Based on this evidence, I believe the data released is not representative of actual Amazon users, but instead this information was generated. It is not clear whether this information was generated by the individual who released the information, or if it was generated by a third party, and that information was then obtained by the individual who released it.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – hacking, data breach)