Hackers breached the Amazon accounts of several third party vendors using stolen credentials obtained through the dark web to post fake deals and steal cash.
The threat actors have reportedly changed the bank deposit information on the compromised accounts to steal tens of thousands of dollars from the users, several sellers and advertisers have said.The attackers also targeted accounts that hadn't been recently used to post nonexistent merchandise for sale at steep discounts in an attempt to pocket the cash.
It's unclear how many accounts were compromised and the hack appears to have stemmed from email and password credentials stolen from a previous breach.
A New York-based lawyer representing Amazon told the Wall Street Journal more than a dozen of his clients have reported hacks, and many of them lost about half of their monthly sales ($15,000 to $100,000) as a result. All of the affected Sellers will be made hole. An Amazon spokesperson said that the company has a zero-tolerance policy for fraud.
"We withhold payment to sellers until we are confident that our customers have received the products and services they ordered. In the event that sellers do not comply with the terms and conditions they've agreed to, we work quickly to take action on behalf of customers," the company said in a prepared statement to SC Media. "There have always been bad actors in the world; however, as fraudsters get smarter so do we. Amazon is constantly innovating on behalf of customers and sellers to ensure their information is secure and that they can buy and sell with confidence on Amazon.com."
Some researchers called the incident a high-profile example of how increasingly interconnected businesses have become and that organizations across the world in every industry are undergoing a similar transformation as outsourcing, globalization and the digitization of business expand their digital ecosystems exponentially.
“Amazon has cultivated one of the largest and most impressive third-party ecosystems in the history of global business with more than two million sellers on the site,” Fred Kneip, chief executive officer (CEO) at CyberGRX, told SC Media. “With so many potential weak links, it's no surprise that hackers have found a way to exploit the network for financial gain.”
He added that companies need to approach third-party cyber risk as a real threat to their business that needs to be continuously managed.
And while the breaches may not affect Amazon immediately, the long terms affects may be corrosive to the brand.
“This is a lesson the SWIFT Network learned after attacks on a member bank led to a costly breach and affected its reputation as a secure network,” Kneip said. “The reality today is that the security and perceived integrity of a network or business extends to the security of the third parties using it. Companies need to more proactively ensure the security of their partners, or risk real damage to their reputation and their brand.”
Some researchers feel that it's a stretch to call the incident a hack and attribute the incident more to the use of weak passwords and poor cybersecurity hygiene.
“Beyond just the initial breach, the use of these weak passwords and security questions has a far greater impact,” Justin Fier, director of cyber intelligence and analysis at Darktrace, told SC Media. “If even a fraction of the stolen passwords were used in any other site, personal and business lives could be at stake.”
He added that breaches like this can lead to compromises two, three, or even four degrees out from the initial target, which is very concerning for businesses.
In either case, vendors can also take steps to minimize their own risks in the event of a compromise.
“To avoid needless risk and to protect their identity in the event of a breach, people should take a minute to adhere to some password management best practices to help avoid potential dangers,” Kevin Cunningham, president and co-founder of SailPoint, told SC Media. “Some simple measures that people can easily implement right now include using a unique password for every application or account, and making sure the password is long and more complex – the longer and more complex the password, the safer it will be.”
He added that the Amazon hack is an example of how identity has become a new attack vector and how it's becoming more common for hackers to use credentials stolen from one breach to access other websites.