
Amazon admits it exposed customer email addresses, but refuses to give details - Ours90
https://techcrunch.com/2018/11/21/amazon-admits-it-exposed-customer-email-addresses-doubles-down-on-secrecy/
======
edoo
When I started selling the first gadget I ever made on Amazon I was so excited
and was only getting a couple sales a month. If you were one of my customers I
looked at your house, judged your grass, found you on LinkedIn and Facebook,
Instagram, mortgages, mugshots, everything lol. The sellers also get your full
name and address even on fulfilled by Amazon.

If you have been on the net long enough this will creep you out:
[https://haveibeenpwned.com/](https://haveibeenpwned.com/)

~~~
dizzystar
For anyone who is curious why a seller gets this much information, you have to
be able to confirm the shipping address is correct. Google Maps can quicken
this process.

Yes, this process is automated and usually works, however, the systems don't
know everything, and you have to manually override the error to ship the
product.

With that said, I think it's grossly irresponsible to look people up on all
their social media. This is part of considering customer trust.

I've yet to hear about sellers stalking customers in the real world, but IMO,
there isn't any difference between doing this stuff online and the real world.
Please don't do this if you are planning to be a seller.

~~~
tdurden
> I think it's grossly irresponsible to look people up on all their social
> media.

While I agree with you in one sense, this wouldn't even be an issue if people
didn't willingly post their entire lives to social media. I don't understand
how one can be too upset about someone looking at data that they themselves
decided to make public.

~~~
JoeAltmaier
"Their window curtains were open, Officer! I just stood outside, on the grass,
with my camera and a news crew."

~~~
TeMPOraL
Curious how time has changed people's perceptions, even though the service
itself didn't.

Back when I started using Facebook, it was obvious that you're building a
profile to be _publicly accessible_ , i.e. viewable by random strangers, and
everything you posted publicly you did with the intent of it being a part of
that public profile. It was kind of like blog, but with guaranteed active
audience.

~~~
alttab
Funny, because when I started using Facebook it was obvious I was building a
profile to be only accessible to direct friends at my school. I could safely
post party pictures without worrying who saw them.

The intent has changed vastly over time.

By the time I was a senior, one of my parties got busted before it started
because I forgot to lock down the invite.

------
kull
This is how it looked for me: I few days ago I was shopping on Amazon and they
showed me a message, you already purchased this product. See order details. I
was surprised since I did not buy it before. After clicking the link, I was
shown details of not my order, including name, address and email where a
product was shipped to.

~~~
tyingq
Maybe someone released a pretty aggressive page cache to help handle "Black
Friday" shopping.

~~~
SahAssar
Sounds like the steam cache issue three years ago:
[https://www.youtube.com/watch?v=dkSslseq9Y8](https://www.youtube.com/watch?v=dkSslseq9Y8)

~~~
tyingq
Ahh, yeah. Steam's explanation:
[https://store.steampowered.com/news/19852/](https://store.steampowered.com/news/19852/)

------
fredley
This is one of the less appreciated clauses of the GDPR: That companies are
_required_ to disclose data breaches within a reasonable time-frame, and users
_have the right_ to know about any exposure of their data.

~~~
behringer
It sounds like they did that but TC wants more. I'm not really sure why HN
allows techcrunch stories on the front page. TC is tabloid journalism at its
finest.

~~~
p49k
They did not disclose any of the following as specified by the data breach
notification requirements of the GDPR:

 _The name and contact details of the data protection officer or other contact
point where more information can be obtained_

 _The likely consequences of the personal data breach_

 _The measures taken or proposed to be taken by the controller to address the
personal data breach, including, where appropriate, measures to mitigate its
possible adverse effects_

The are also required to submit the following information to EU authorities,
but have given no indication that they have done so or are planning to:

 _The categories and approximate number of data subjects concerned_

 _The categories and approximate number of personal data records concerned_

The mail that Amazon sent to affected customers was barebones and contained
almost no information.

~~~
ganeshkrishnan
I think only Amazon Europe account was leaked. We have account in couple of
countries and I got the email only on my UK account.

~~~
jessaustin
I live in USA, have only ever used Amazon in USA, and I got the email.

------
ben509
"Besides the brevity, what's giving people pause is they sign the email
[http://Amazon.com](http://Amazon.com) Why cap the "a" and why no
[https://](https://)? Strange"

This one is easy to answer: the customer support people aren't particularly
technical. In many ways, Amazon is a weird mashup of a traditional retailer
and a tech company.

~~~
ouaiueoaieaeoiu
To add insult to injury, [http://amazon.com](http://amazon.com) redirects
(301) to [https://amazon.com](https://amazon.com), but does not publish HSTS
headers nor is it in the hstspreload list (but www.amazon.com is).

[https://hstspreload.org/?domain=amazon.com](https://hstspreload.org/?domain=amazon.com)
[https://hstspreload.org/?domain=www.amazon.com](https://hstspreload.org/?domain=www.amazon.com)

------
jiveturkey
based on spam email i have received, that i clearly should not have, i believe
this was an exposure to marketplace sellers from whom you have bought a
product.

I am _very_ careful with my email. i’m not just guessing here. i actually
reported it to amazon security. (no answer from them of course.)

~~~
dingaling
eBay are particularly careless in that regard.

There's no reason that a seller should ever see the customer's actual e-mail
address on such a site but I'm up to ebay5@ on my mail server due to direct
spam from sellers from whom I bought one item in the past.

No, sellers, I did not 'opt in' to your spam just because I bought something.
But why does eBay ever give them the address?

Oddly I've never had a problem with random Chinese sellers, it's always Euro
or US ones.

~~~
dylz
Chinese sellers have been very pleasant to deal with IME, including obviously
hand-written niceties, handwritten thank you notes (maybe not in the best
English but the sentiment is there) for a bunch of stuff. Occasionally small
'gift' items, have gotten Chinese fun-size snacks too.

There are US sellers that have resulted in 27+ emails _within one day of
purchase_, one seller has managed to sign my ebay_a10f9@ alias up for five
separate companies reselling third party warranties / affiliate spam for the
above. What the fuck?

------
sharkweek
Amazon is being so strangely cagey about this - I followed up on the email
asking who saw my email, and they sent back the exact same response.

------
rhizome
Aren't all programming mistakes and bugs "technical errors?"

------
hef19898
One comment further down stated that it might have affected marketplace
sellers. Amazon doesn't really put the same amount of thought and resources on
marketplace than Amazon retail even if they should IMHO.

Regardless, that's AFAIK the first time that ever happened to Amazon. Bad
enough if it was third party sellers. A catastrophe if it was Amazon
customers. With all the controversy regarding counterfeits in some countries
an incident that bears the risk of impacting customer trust is the last thing
Amazon needs. Maybe I should have sold my stock 4 months ago... But maybe Q4
will be stellar and stock goes up again in January. I should think about a
stop order, just in case Q4 disappoints that year.

------
rdiddly
An email address isn't secret, is it? It's sent back and forth in clear text
through any number of relay servers. I consider my name and email address to
be basically public information. Along with (unfortunately) my Social Security
number.

If Amazon exposed any data fields _more_ sensitive than email address, I would
call that stonewalling/covering up as TC seems to be implying. But otherwise
it kind of just sounds like TC being all petulant that Amazon wouldn't tell it
everything it wanted to know. And the motivation there is likely to be the
generation of clicks, not the protection of customers.

Take the "number of users affected" for example. Knowing that info doesn't
help any individual customer. But it does help journalists drum up pageviews,
or at least I feel like _they believe_ it does. Having a big number in there
is like this (dubious) Holy Grail of page-irresistability. I'm just judging
from how, for example, the reporters on the TV news always bug their eyes out
and raise their voice and talk really slowly and emphatically any time they
come to a number. "The pool was reported to be FOURTEEN FEET DEEP..." "The
petition has THIRTY THOUSAND signatures..." Wow! A number! I'm supposed to be
all impressed I guess! _ZOMG let me throw all my money at you right now!!!!_

~~~
saltysugar
Amazon employee here, but the statement I'm making is of my own.

Internally we treat customer names and email addresses as the second highest
data classification. The highest one is credit card/financial/password data.

What does it mean? It means that there are a bunch of requirements that a
software team must fulfill and pass (reviewed by an SDE trained in the process
outside the team). This makes accessing this sort of data a PITA for a lot of
people, and I can see why they why they would send out notifications when a
breach like this happen. Amazon takes security very seriously, and it in fact
creates quite a bit of friction to many engineers. However, I'd rather than
than the break things and ask for forgiveness model like some other companies
(not going to name names here)

~~~
ben509
I can confirm that names and email addresses are classified as saltysugar
states, and the security reviews. So they do have to pass all those
requirements for secure storage and transmission, but then names and emails
are made visible by default through mechanisms like reviews, profile,
wishlists, and that passes the review because it is the user's choice.

I don't even think this is anything nefarious by Amazon. It's more that teams
dedicated to security issues consider it out of their lane to deal with
conflicts between the designed UX and actual user expectations; especially for
privacy issues where even asking the person isn't a reliable way to understand
what they want.

~~~
pluma
> saltysugar

Can you elaborate? I've never heard this phrase before and google results
aren't very helpful.

~~~
curiousfab
It's not a policy, it's the username of the parent's poster.

~~~
ben509
LOL, now I realize the wisdom of not referring to people by usernames...
"saltysugar states" sounds completely plausible.

------
moneil971
Every major tech company has had this problem, yet people still keep sharing
their personal info (even home address, phone numbers, social security
numbers) online. Don't share anything you wouldn't yell out on a crowded
street to strangers.

------
jumpinalake
The video advertisement on the linked webpage crashed Safari on my iPhone.

------
danielor
Hmm... it seems this drip of bad news in big tech is setting up for some
heated debates on regulation. It will be interesting how proactive the
Europeans are with GDPR.

~~~
kodablah
"Goal accomplished"

\- traditional media and anti-big-web-tech

~~~
ionised
Change the record.

Old media might have an axe to grind with big tech making them obsolete, but
the cavalier attitudes of big tech companies are pissing off a LOT of people.

------
gnulinux
I don't understand this. In the American startup I'm working we're extremely
careful with respectful data practices due to ethics and GDPR (we have a lot
European customers). Why doesn't Amazon give a shit about GDPR? Do they have a
leverage?

~~~
buboard
amazon doesn't have european headquarters

~~~
cyphar
They do, so they can avoid taxes all over the world. Not only do they have an
EU incorporated company, if you believe their tax filings their primary
business is based in Luxembourg. This is obviously bullshit, and is done to
avoid taxes, but they have structured their company in a way that makes them
_very much_ an EU company.

If they weren't an EU company they couldn't take advantage of Luxembourg's tax
laws. So it follows that they have to follow all EU laws. Because they're
incorporated in the EU.

~~~
buboard
you re right. The idea here is that luxembourg (or any country) would have to
weigh any violations against their interests to keep amazon in their
territory.

------
erbium
Would explain the billions of new spam emails I've been receiving.

------
Tsubasachan
Amazon and my spam filter have a long and intimate relationship.

------
garysahota93
Wasn't there another post on HN of this?

~~~
ProAm
I think it got black holed by the mods.

------
isarang
Watch this space [https://amazon.com/profile](https://amazon.com/profile)

