If I saw an email like that, my brain would be screaming "SCAM".
"Hello" - no name etc. FFS, what ever made them think that's acceptable?
Amazon has suffered a data snafu just days before Black Friday – and the company was tight-lipped about whether it had notified the British data protection authorities. Multiple Register readers forwarded us emails sent from Amazon's UK tentacle informing them that the online sales site had "inadvertently disclosed [their] …
I agree, even easier as there was no action required.
Hi [Name], We're writing to notify you that your account is among a number which *have* been involved in a security breach. Please log into your account using your normal route to see further information and what steps, if any, to take next. As always, please do not click on links on emails, we will never ask for your details..... blah blah
If a reset is required, deal with it when a log in is attempted, not using an email link. Unfortunately, marketing departments have ensured that 'legitimate' emails are full of full page banners and images, so people are not trained this way.
Unfortunately, marketing departments have ensured that 'legitimate' emails are full of full page banners
Some time ago, our marketing team wanted a whole slew of twitter/FB/LinkedIn/etc etc buttons added to the bottom of every outgoing email. Even if we were willing to do that (email is a 7-bit ASCII mechanism dammit!) we managed to come up with a (cough) valid technical reason why not - the increase in file size.
The average email size (without attachments) was about 6K bytes. Once the buttons and associated JS were added, it balooned up to 200K.
We pointed this out to Marketing and let them know that increased costs in bandwidth and storage would be charged to them. Mysteriously, the request was withdrawn thereafter.
"If a reset is required, deal with it when a log in is attempted, not using an email link.
I've berated PayPal numerous times about sending emails with links to log in. Their communications often looked exactly like phishing attempts. While I'm a cynical old bastard, the vast majority a people are lazy idiots and will click links because "it's so much work" to type in a URL. Given that so many use their mobiles, they are right. I can bang out a URL on a proper keyboard in a blink, but without the tactile feedback, it's takes longer on the mobile and between my fat fingers and auto-correct, it can take some time.
They probably wanted to get it out ASAP. I sure as hell don't personalize my replies when I have to answer 10's of the same ticket...
Still, one would think the biggest tech company in the world would have a better system already in place for this.
Or a website that isn't vulnerable. One of the two.
Yep, I initially thought it looked dodgy when I received the same email yesterday. But the mailbox I use is only for that Amazon account and nothing else, and there were no spurious links in it or actions to take.
They could have done a much better job of the correspondence. But an explanation on exactly what prompted it in the first place would have been more appropriate and appreciated.
You only get 72 hours to contact the ICO here when you become aware of a breach.. you don't need to tell them what's happened just say "we dun goofed and will get back to you" but they will be slightly peeved if you don't get in touch for a few months as usual.
Not that they'll do anything mind.
This is a terrible email because it looks like a phishing scam. Because it didn't mention an action it wanted me to take such as clicking on a link, it wasn't obvious how this email would benefit a scammer. I studied the email header but it looked pretty genuine. Then I took to Google and it pointed me to this El Reg article.
I've spent £1,000's with Amazon over the last 13 years and I would expect a decent email from them including an APOLOGY for disclosing my personal details. It doesn't even greet me by name or link to further information to explain in what way my details were disclosed, when the breach happened and how long it exposed my details for.
I feel really let down and would prefer never to use them again to teach them a lesson, but they obviously wouldn't even notice my missing custom and they know I'd lose out more than they would. I only hope the ICO have put their teeth in today.
Oh, Amazon, please stop recommending cat food to me by email and push notifications. I don't have a bloody cat, never had and never clicked on anything cat-like. How can I remove this from your dumb AI's brain? :-(
Oh, Amazon, please stop recommending cat food to me by email and push notifications. I don't have a bloody cat, never had and never clicked on anything cat-like. How can I remove this from your dumb AI's brain? :-(They've obviously mistaken you for Julian Assange. Seen any black helicopters lately?
"there'll be a stray cat waiting to follow you home and it will be hungry."
The default position of any cat is 'I am hungry, give me food'. This is just a test, however, to see how mallable your mind is.
Usually when you fall into the category of 'soft touch' by offering them food, they will then just turn their noses up at you with a look of disgust* to put you in your proper place.
*Unless a partcularly nice morsel. They aren't stupid. Just self absorbed.
The default position of any cat is 'I am hungry, give me food'. This is just a test, however, to see how mallable your mind is
I think I've failed that test - many, many, many times. That's probably why we have seven cats (age range - 12 years to 1 year. Youngest cat was (at this time last year) a two-month old stray living in a friends garden. Now spends a lot of time sleeping next to the radiator..)
They aren't stupid. Just self absorbed
Cat intelligence varies enormously according to the subject matter. Food happens to be a subject that they have PhD-level intelligence in.
They do a people delivery service already, a guy was found (naked) in a Amazon storage box in japan just this week.
Yeah, I got the spammy sounding email overnight; luckily this is an account I use for commercial sites I expect to spam me, so the spam filters on it are already set to "kill everything"
Oh, Amazon, please stop recommending cat food to me by email and push notifications. I don't have a bloody cat, never had and never clicked on anything cat-like. How can I remove this from your dumb AI's brain?
Ages ago somewhere in My Account I stumbled across an e-mail marketing page, disabled every tickbox, and have never had a marketing e-mail since. I assume this is still present.
I don't have a bloody cat, never had and never clicked on anything cat-like
It's the universe telling you that you are missing something essential from your life..
(Almost was late for work this morning - $YoungestCat decided that my lap was an appropriate place to curl up as I was eating breakfast..)
Might be useful:
Art. 82 GDPR Right to compensation and liability:
"...Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered."
Data Protection Act 2018:
Compensation for contravention of the GDPR
(1) In Article 82 of the GDPR (right to compensation for material or non-material damage), “non- material damage” includes distress.
He's making a list
He's checking it twice
He's gonna find out who's naughty or nice
Santa Claus is in contravention of article 4 of the General Data Protection Regulation (EU) 2016/679
He has a legitimate interest if you're sleeping,
He knows if you're awake
He knows if you've been bad or good,
So you'd better watch out.
You'd better not cry.
You cannot opt-out,
I'm telling you why.
Santa Claus has a legitimate interest in maintaining data on you and does not need to use the consent model of the GDPR.
[sorry about the scanning.]
A hairy alcoholic (16.8 million litres of sherry in one night?) with a sock fetish, dressed by a corporate sponsor in the sugar industry, commits serial breaking and entry, to bring sweets and gifts to certain kids that he has assessed as "nice." And the authorities have done nothing *NOTHING!*
Save us ICO - you're our only hope.
I'm among the last to give Amazon any kudos or praises, but let's do an honest gut check.
If you believe this looks phishy, then you're a ripe target for a well built phishing email.
You're basically stating, if it looks professional and is well written, then the email is legit.
Going off grammar or spelling is an method. Just look at the responses to this forum!
In fact, you should treat all unsigned external emails the same. No matter how they look or are written.
At anytime there is a question... get off your fat ass and investigate it. The return URL is legitimate enough, that if you would have followed up on it, your question would have been answered within 5 minutes.
If the URL would have been slightly different, but questionable, there are security tools--such as Fiddler--which you should, as an IT professional be very comfortable using by now.
Large organizations should have a mailbox employees can forward an email to, so an InfoSec employee who will make a determination.
In many of our red team out briefs, we comment on how an organization can spend $2 Million on security devices, but it will not do much good if they don't spend money hiring active--opposed to lazy IT and InfoSec professionals.
I'm pretty sure most people, at least here on el'reg are not saying that the only way they check is if an email is properly written. An email having grammatical/spelling errors is just a big warning sign and the most obvious.
I've managed to get almost all of my users forwarding on messages of this type if they are unsure. And yes legitimate emails can come in with similar errors especially if you work with foreign companies etc. I've even seen some from British companies.
I've also got most checking links in emails before clicking and if possible going direct to the site and not via the link. This is much harder though, people going about their jobs want things to be easy. In their ind IT will clear up any issues... at least until I point out that the policy say they are to check these things first.
For once I haven't been included in a breach.
On the basis of previous breaches, it is normal for belated discovery of how many records were exposed, when, and who the data applied to.
So for once, you haven't yet been notified that your data may have been included in this breach?
So I wouldn't go as far as Huzzah, but you might want to give a resounding Huh.
I got one of these. No idea how easy it was to find my details. No indication of how long they were exposed for. And yes nothing about informing the ICO.
If I was Amazon I'd be analyzing my logs to to at least work out if this data has been mined systematically or not. Potentially somebody has my home address and a list of all the products I've reviewed. Fantastic. Time to stop doing product reviews altogether...
I've spent a half hour on chat with one of the bots, sorry I mean customer assistants.
They are not reporting to the ICO.
they have no idea what a subject access request is....
This is not going to end well for them. Start making SAR's and asking where that information went and they might take notice....
I've received no letter which may be because I closed my account, however they did say when I closed my account that they would keep my name, address and order details on their systems for "audit purposes" which potentially means it's been breached but they haven't informed me as my account's closed.
Amazons response to me:
The e-mail you received wasn't from Amazon.co.uk, and we're investigating the situation. We suggest you never respond to any e-mail message that asks you to provide personal or financial information, open an unsolicited attachment, or navigate to a website linked to in the e-mail.
"Organisations must assess if a breach should be reported"
And this is why so much legislation is toothless: it's left up to companies to determine whether they think a breach should be reported.
Just like Safe Harbor\\\\\\\\\\\Privacy Shield "compliance" is determined via "self certification" by the marketing weasels: "Of course you can trust us with your Personal Data, we don't bite (much, honest)!" We've said we are compliant, so of course we are.
The whole point of having regulatory bodies is for them to do the regulating (and the hitting with big sticks, when necessary, too).
I mean, the ICO won't even accept complaints from the public until you have raised your concern with whichever dodgy organisation has misused your data first (and it's not exactly the best idea to have to actually confirm any of your personal details to any of the real dodgy operators out there who had originally vacuumed them up from some even more dubious "genuine marketing lead mailing list", do you think they give a figgy pudding about data protection compliance?).
So the more detailed explanation essentially says that the original message was to warn amazonions that they might receive phishing emails? And not to click on links in suspicious emails? And A---Zon sent that message in an email that included a strange link?
I heard a wonderful story on NPR (in the US) about Amazon's use of AI. If this is the byproduct, we should all be very afraid...
But isn't sensitive, like your last order number. Add it on the bottom: To aid you in verifying the legitimacy of this communication, your last Amazon order number was 23462098 on Oct 15, 2018.
While that information could be had by someone who breaks into your email account, then you are being targeted by spear phishers which is a whole other class of attack.
This has come up on the very same day Tourtech UK Ltd [ the motorcycle parts company] seem to have sent out a mass email to many customers with an attached receipt for work carried out to the sum of £351.24 . The source appears to be from their email server but they too seem to have neither registered on the ICO Public register nor reported the possible loss of customer data and are "investigating the matter".
I may be able to shine a little light in the darkness... I e-mailed email@example.com a week ago because I got a spammy e-mail specifically offering money to write product reviews on Amazon This is to an e-mail address I only give out to family and retailers I similarly trust with my credit card data.
It's not the first time I've gotten targeted emails that seem to know I'm a highly rated reviewer on Amazon, but this time they failed to use the BCC field and supplied me with a list of dozens of e-mail addresses that clearly look valid. Not remotely sequential, not dictionary words stuck together, not brute-forcing all random combos, etc. Clearly a list of personal e-mail addresses.
I requested they check the list of addresses against their user database to confirm or disprove my strong suspicion that their website is somehow being coaxed into leaking private customer e-mail addresses. Then came the Amazon e-mail early this morning...
Purely speculating now, I wonder if this is related to the phenomenon of lots of new merchant accounts popping up on Amazon, which claim to have millions of items at absurdly low prices, then either send a tracking number for unrelated packages (to stall for time) or else don't even bother pretending they have ever shipped anything. In either case they're playing a numbers game, waiting until their feedback and refund rate is bad enough that Amazon blacklists them, but in the mean time collecting angry e-mails forwarded through Amazon's e-mail proxying system of people asking where their items have gone.
I received that email as well and I'm located in the USA. I think Amazon has a saboteur in their company. Not only the problem of emails and names being exposed but also thousands of customers who were banned from reviewing their purchases and all their past purchase reviews removed without explanation. Amazon is aware there's a huge problem but rooting out the cause is apparently proving difficult. The Wall Street Journal wrote an article a few months ago https://www.wsj.com/articles/amazon-investigates-employees-leaking-data-for-bribes-1537106401
"Amazon Investigates Employees Leaking Data for Bribes Employees, through intermediaries, are offering internal data to help merchants increase their sales on the website."
rcxb and Miss_X2m1 have brought my attention to the fact that I too have been receiving so-called notifications apparently from Amazon of things waiting for me at my post office, with a helpful link to some page that is neither a Post Office site nor Amazon.
Of course, not being part of the numpties that click on links from unknown entities, I just controlled that the link was suspicious and trashed the mail forthwith.
Now, though, I have to wonder : is this part of the consequences of the breach-that-was-not-a-hack ? I live in France, so if it is, the problem is much larger than just the UK (since Miss_X2m1 is USA-based).
I got one too and sent a screenshot to Amazon UKs twitter account twice and they just ignored me.
That's the problem with self regulation, it's hard to prove that amazon hasn't done the reporting assessment properly. At the moment it certainly looks like they're ignoring it and hoping we'll go away.
So I've changed my password anyway, even though they didn't contact me. I'm still puzzled as to why my Author / book selling activities have to use the same account as me as a retail customer. Maybe I made a mistake at setup time.
I don't trust them.
I could write an essay about their misleading retailing to Irish customers and misleading deals for Authors.
Biting the hand that feeds IT © 1998–2019