I may be able to shine a little light in the darkness... I e-mailed firstname.lastname@example.org a week ago because I got a spammy e-mail specifically offering money to write product reviews on Amazon This is to an e-mail address I only give out to family and retailers I similarly trust with my credit card data.
It's not the first time I've gotten targeted emails that seem to know I'm a highly rated reviewer on Amazon, but this time they failed to use the BCC field and supplied me with a list of dozens of e-mail addresses that clearly look valid. Not remotely sequential, not dictionary words stuck together, not brute-forcing all random combos, etc. Clearly a list of personal e-mail addresses.
I requested they check the list of addresses against their user database to confirm or disprove my strong suspicion that their website is somehow being coaxed into leaking private customer e-mail addresses. Then came the Amazon e-mail early this morning...
Purely speculating now, I wonder if this is related to the phenomenon of lots of new merchant accounts popping up on Amazon, which claim to have millions of items at absurdly low prices, then either send a tracking number for unrelated packages (to stall for time) or else don't even bother pretending they have ever shipped anything. In either case they're playing a numbers game, waiting until their feedback and refund rate is bad enough that Amazon blacklists them, but in the mean time collecting angry e-mails forwarded through Amazon's e-mail proxying system of people asking where their items have gone.