If you have been on the net long enough this will creep you out: https://haveibeenpwned.com/
I realized an attack method where:
1. Find an unusual but generic product used by niche group such as a particilar adult toy.
2. Order product and sell in using existing amazon SKU (very common) at below market price point.
3. You now have difficult to procure personal data on a very specific customer segment, paid for in lost margins on the product.
Reminds me somewhat of the old days of Facebooks demographic targeting to get page likes. You could build interesting lists indirectly on the cheap.
It's super against Amazon's TOS for resellers to contact customers outside of Amazon controlled channels, but I never lost a lot of sleep over it, and dont think people were buying much 3PAR storage off amazon anyway.
I recently started making up random names when buying from Amazon Marketplace, to see if I can spot a pattern of who's buying and who's selling databases. I'll know better in a few months...
Could also be bad quality, liquidating goods on failed launches, etc
Yes, this process is automated and usually works, however, the systems don't know everything, and you have to manually override the error to ship the product.
With that said, I think it's grossly irresponsible to look people up on all their social media. This is part of considering customer trust.
I've yet to hear about sellers stalking customers in the real world, but IMO, there isn't any difference between doing this stuff online and the real world. Please don't do this if you are planning to be a seller.
While I agree with you in one sense, this wouldn't even be an issue if people didn't willingly post their entire lives to social media. I don't understand how one can be too upset about someone looking at data that they themselves decided to make public.
Back when I started using Facebook, it was obvious that you're building a profile to be publicly accessible, i.e. viewable by random strangers, and everything you posted publicly you did with the intent of it being a part of that public profile. It was kind of like blog, but with guaranteed active audience.
The intent has changed vastly over time.
By the time I was a senior, one of my parties got busted before it started because I forgot to lock down the invite.
Probably won't happen anytime soon, but eventually I think a service like this will exist.
Why Americans don't value their privacy or enjoy being harassed by sales people is beyond me.
Well that is down right crazy. Most sellers are people in their garages drop shipping 3PL. I'd trust them if they were background checked....maybe
There is nothing stopping anyone that has an e-commerce website from recording a clear version of your passwords along with all of your billing address and credit card informations.
There's no audits or anything.
Credit Card companies are very good at identifying the source of the leak from only a handful of fraud complaints you’ll be surprised how few places would be shared across even a small batch of cards say <50.
If the retailer is large enough to make an impact they’ll get caught and dealt with very quickly and the value of credit cards and matching PII/CHD today is very low a few million cards might be worth only a few 1000’s of dollars depending on their age, source and estimated credit limit.
Maybe that's why we need to move towards blockchain-based networks since trust is not required on blockchain, only proof.
We were routinely getting emails saying "I'm not comfortable sharing my CC info with you" (even though it goes through a processor), so ended up adding PP as an alternative. Guess what - now we get to see their full name and physical address, neither of which we need, because we sell software licenses. I'm guessing that people are more concerned with needing to deal with compromised cards than they are worried about over-sharing of sensitive personal details.
Since a lot of people re-use passwords, if your email is also contained in one of the countless breaches that we've seen cropping out in the last few years, there's a good chance that your Amazon account is using one of the pwned passwords: therefore Amazon's statement that people should not change their Amazon password is potentially harmful advice.
Go on then... post your e-mail address.
So whenever a company says that only their user email addresses were compromised and nothing more, I'm pretty skeptical of the validity of their assertions.
It's for the same reason that you don't post your name, address, and email address in a signature of your posts on HN.
One time Jimmy Kimmel ordered some gimmicky yoga thing and wanted it overnighted to his house along with a gift card. I checked and it was his girlfriend's birthday the next day. I called up offering to gift wrap it at no charge just hoping to talk to him but I ended up getting his assistant. Still offered the gift wrapping which they appreciated.
There are some rules around it listed here: https://sellercentral.amazon.com/gp/help/external/200386250
But yeah, it is going to be a hard one for Amazon to enforce unless a number of people complain about a seller.
Thankfully I'm in the habit of using throwaway passwords for sites I consider throwaway.
I have noticed recently that I've been getting a lot of extortion spam, demanding bitcoin and saying that they know my passwords have compromising footage of me, having pwned all my devices. For proof they include a password I used on something like pandora, to the service-specific email address I set up for pandora. It's quite funny but I bet it's caught quite a few people with a guilty conscience out.
Checked with email@example.com, you have to add 14 other 'l's (firstname.lastname@example.org) in order to result in a green good news. How can I validate the claims? I'm a bit skeptical seeing it doubles as a sales front for 1password.com.
Out of nowhere, I received an email from Asics that contained another customer's name, their email address, phone number, and that customer's private message (apparently part of a customer service case). Bizarre. I informed the other customer, who was equally surprised but somewhat grateful for the notification. And I spent an hour or so reporting the incident to various levels of Asics worldwide (I'm in Canada, this customer was in the USA, and their privacy office apparently resides in the EU), partly out of curiosity to see how a small but concerning issue might be handled.
Summary: Asics' privacy office got a customer service manager to contact me for details of the incident. They said "sorry" and "it won't happen again". Okay. ?
Just imagining the damage I could have caused using the 'forgot password' link and their stored CC info...
In the footer is a link to 'help'. On the help page you just click 'need more help' and there's the contact us link.
My other question is where you saw the email address on the order record. I'm looking at my order history and can't even find my own email.
One wonders if this clause should have instead been its own, separate, narrowly focused legislation and enforced specifically as such.
1. You have hundreds of code reviewers, many of whom will have their own motivations
2. The code base is hundreds of years old, poorly maintained and often contradictory in its goals.
3. You have hundreds of millions users.
There are some known issues of compilers eliding the zero-ing out of secret data. There is no portable way of enforcing this.
good grief... I live in this world!
For example, many more opportunities to cause government shutdowns, and many more must-pass bills that can be loaded with pork.
I also think it would encourage less partisan and more consensus-built legislation if the number of votes it passes with extends the amount of time before it sunsets, esp. if the relationship is not linear. Right now, if you have 50%+1 vote in the House, and 60 in the Senate, you don't have to care about the rest, so you can make legislation as extreme as you can while remaining within those boundaries. But if the difference in getting extra votes is a renewal vote in 25 years (with, say, 3/4 supermajority passing) versus just 5 years (50%+1), those extra votes may well be worth fighting for with some concessions.
ftfy. and I'd add that being from the US, I'd expect that sunset clauses on all laws would have the effect of giving the legislators something to do other than raise money for reelection.
The name and contact details of the data protection officer or other contact point where more information can be obtained
The likely consequences of the personal data breach
The measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects
The are also required to submit the following information to EU authorities, but have given no indication that they have done so or are planning to:
The categories and approximate number of data subjects concerned
The categories and approximate number of personal data records concerned
The mail that Amazon sent to affected customers was barebones and contained almost no information.
Which parts of the specific GDPR requirements did they comply with?
They're incorporated in Luxembourg in order to avoid taxes, making them subject to EU laws (after all, they are subject to Luxembourg tax laws -- that's why they structured their business that way).
You can't have your cake and eat it.
This one is easy to answer: the customer support people aren't particularly technical. In many ways, Amazon is a weird mashup of a traditional retailer and a tech company.
That being said, one of the biggest companies in the world should be more attentive when sending out e-mails like this.
I am very careful with my email. i’m not just guessing here. i actually reported it to amazon security. (no answer from them of course.)
There's no reason that a seller should ever see the customer's actual e-mail address on such a site but I'm up to ebay5@ on my mail server due to direct spam from sellers from whom I bought one item in the past.
No, sellers, I did not 'opt in' to your spam just because I bought something. But why does eBay ever give them the address?
Oddly I've never had a problem with random Chinese sellers, it's always Euro or US ones.
There are US sellers that have resulted in 27+ emails _within one day of purchase_, one seller has managed to sign my ebay_a10f9@ alias up for five separate companies reselling third party warranties / affiliate spam for the above. What the fuck?
There was a strong sense of community on eBay in the company's early years that gradually went away over the years, and I still miss it. eBay is now dominated by medium-to-high volume corporate sellers, and that was not how it was originally supposed to work.
> use of Amazon trademarked words, images, or reviews which may include variations or misspellings and this is a violation of our Trademark Guidelines
> An example of the above violation can be found here: amazon@[mydomain]
Sellers have been exposed not buyers.
Regardless, that's AFAIK the first time that ever happened to Amazon. Bad enough if it was third party sellers. A catastrophe if it was Amazon customers. With all the controversy regarding counterfeits in some countries an incident that bears the risk of impacting customer trust is the last thing Amazon needs. Maybe I should have sold my stock 4 months ago... But maybe Q4 will be stellar and stock goes up again in January. I should think about a stop order, just in case Q4 disappoints that year.
If Amazon exposed any data fields more sensitive than email address, I would call that stonewalling/covering up as TC seems to be implying. But otherwise it kind of just sounds like TC being all petulant that Amazon wouldn't tell it everything it wanted to know. And the motivation there is likely to be the generation of clicks, not the protection of customers.
Take the "number of users affected" for example. Knowing that info doesn't help any individual customer. But it does help journalists drum up pageviews, or at least I feel like they believe it does. Having a big number in there is like this (dubious) Holy Grail of page-irresistability. I'm just judging from how, for example, the reporters on the TV news always bug their eyes out and raise their voice and talk really slowly and emphatically any time they come to a number. "The pool was reported to be FOURTEEN FEET DEEP..." "The petition has THIRTY THOUSAND signatures..." Wow! A number! I'm supposed to be all impressed I guess! ZOMG let me throw all my money at you right now!!!!
Internally we treat customer names and email addresses as the second highest data classification. The highest one is credit card/financial/password data.
What does it mean? It means that there are a bunch of requirements that a software team must fulfill and pass (reviewed by an SDE trained in the process outside the team). This makes accessing this sort of data a PITA for a lot of people, and I can see why they why they would send out notifications when a breach like this happen. Amazon takes security very seriously, and it in fact creates quite a bit of friction to many engineers. However, I'd rather than than the break things and ask for forgiveness model like some other companies (not going to name names here)
I don't even think this is anything nefarious by Amazon. It's more that teams dedicated to security issues consider it out of their lane to deal with conflicts between the designed UX and actual user expectations; especially for privacy issues where even asking the person isn't a reliable way to understand what they want.
Can you elaborate? I've never heard this phrase before and google results aren't very helpful.
- traditional media and anti-big-web-tech
Old media might have an axe to grind with big tech making them obsolete, but the cavalier attitudes of big tech companies are pissing off a LOT of people.
I would assume perceived toothlessness. A better question is why should they? Or else what? Is that "what" absorbable by them to not eagerly spend a bunch of money and be shown to kowtow to governments making very large internet laws? Can they just pay it some lip service for now like their peers?
If they weren't an EU company they couldn't take advantage of Luxembourg's tax laws. So it follows that they have to follow all EU laws. Because they're incorporated in the EU.
If they don't choose to put themselves somewhere, everyone may go after them separately.