Hacker News new | past | comments | ask | show | jobs | submit login
Amazon admits it exposed customer email addresses, but refuses to give details (techcrunch.com)
521 points by Ours90 on Nov 21, 2018 | hide | past | favorite | 146 comments

When I started selling the first gadget I ever made on Amazon I was so excited and was only getting a couple sales a month. If you were one of my customers I looked at your house, judged your grass, found you on LinkedIn and Facebook, Instagram, mortgages, mugshots, everything lol. The sellers also get your full name and address even on fulfilled by Amazon.

If you have been on the net long enough this will creep you out: https://haveibeenpwned.com/

I also noticed complete customer data access selling a bike part I had CAMd in China last year.

I realized an attack method where:

1. Find an unusual but generic product used by niche group such as a particilar adult toy.

2. Order product and sell in using existing amazon SKU (very common) at below market price point.

3. You now have difficult to procure personal data on a very specific customer segment, paid for in lost margins on the product.

Reminds me somewhat of the old days of Facebooks demographic targeting to get page likes. You could build interesting lists indirectly on the cheap.

The Amazon store I ran when I worked for a VAR was the best lead generation tool the company I worked for had ever found. I sold a part that if you bought indicated to us that your annual IT spend was minimum 150K a year, and I sold dozens of these parts a week. Most companies have a customer acquisition cost, we got paid to get new customers.

It's super against Amazon's TOS for resellers to contact customers outside of Amazon controlled channels, but I never lost a lot of sleep over it, and dont think people were buying much 3PAR storage off amazon anyway.

That is likely the model of many resellers on Amazon Marketplace. Some products are so cheap (including free shipping) that they must be making money by selling my information to direct marketers.

I recently started making up random names when buying from Amazon Marketplace, to see if I can spot a pattern of who's buying and who's selling databases. I'll know better in a few months...

Please report your findings. This sounds like great research.

Seems unlikely. What's more likely is people launch products at a loss in hopes of getting good reviews and expecting to be able to raise prices later. People are fine losing money for months to build up a product.

Could also be bad quality, liquidating goods on failed launches, etc

For anyone who is curious why a seller gets this much information, you have to be able to confirm the shipping address is correct. Google Maps can quicken this process.

Yes, this process is automated and usually works, however, the systems don't know everything, and you have to manually override the error to ship the product.

With that said, I think it's grossly irresponsible to look people up on all their social media. This is part of considering customer trust.

I've yet to hear about sellers stalking customers in the real world, but IMO, there isn't any difference between doing this stuff online and the real world. Please don't do this if you are planning to be a seller.

> I think it's grossly irresponsible to look people up on all their social media.

While I agree with you in one sense, this wouldn't even be an issue if people didn't willingly post their entire lives to social media. I don't understand how one can be too upset about someone looking at data that they themselves decided to make public.

"Their window curtains were open, Officer! I just stood outside, on the grass, with my camera and a news crew."

Curious how time has changed people's perceptions, even though the service itself didn't.

Back when I started using Facebook, it was obvious that you're building a profile to be publicly accessible, i.e. viewable by random strangers, and everything you posted publicly you did with the intent of it being a part of that public profile. It was kind of like blog, but with guaranteed active audience.

Funny, because when I started using Facebook it was obvious I was building a profile to be only accessible to direct friends at my school. I could safely post party pictures without worrying who saw them.

The intent has changed vastly over time.

By the time I was a senior, one of my parties got busted before it started because I forgot to lock down the invite.

Therefore, postal services should offer the possibility of making a "dummy address", so only they know your real address.

Probably won't happen anytime soon, but eventually I think a service like this will exist.

Actually Canada Post has that service here - Flex Delivery (https://www.canadapost.ca/cpc/en/personal/receiving/alternat...). Now if only they weren't on strike and would deliver the mail.

Almost perfect, but it appears they don't send the package to your home address but instead keep it at the post office.

Definitely a trade off. But I'm willing to accept it. It also means that I never have to play the Purolator/Fedex game where I prove I was home and they didn't ring the bell - because of my camera.

Its actually illegal for companies to contact me unless I already have business with them.

Why Americans don't value their privacy or enjoy being harassed by sales people is beyond me.

I can also confirm, I can still see names and addresses, but not emails. Honestly any online retailer has to be trusted with this information, and in the fulfillment by Amazon (FBA) case, there are 3rd party sellers that have some unnecessary access to it. I personally don't actually need access to it since I do FBA exclusively.

Without giving you the address Amazon would find it difficult to argue that you are the seller and not them. Which will probably become relevant in a case about counterfeits on Amazon's site.

There used to be custom report you could run from one of the advanced dashboards that would still give you the email, it was called something unintuitive in the logistics category.

> any online retailer has to be trusted

Well that is down right crazy. Most sellers are people in their garages drop shipping 3PL. I'd trust them if they were background checked....maybe

The internet is based on trust.

There is nothing stopping anyone that has an e-commerce website from recording a clear version of your passwords along with all of your billing address and credit card informations.

There's no audits or anything.

There are audits a large enough retailer would need a QSA audited PCI compliance report and while they can have 2 versions to avoid being flagged by the auditor their liability when getting caught would be colossal.

Credit Card companies are very good at identifying the source of the leak from only a handful of fraud complaints you’ll be surprised how few places would be shared across even a small batch of cards say <50.

If the retailer is large enough to make an impact they’ll get caught and dealt with very quickly and the value of credit cards and matching PII/CHD today is very low a few million cards might be worth only a few 1000’s of dollars depending on their age, source and estimated credit limit.

I agree, the scale of amazon makes it nearly impossible for any type of remediation or penalty if its abused. It would hurt the consumers life far worse than anything Amazon would be interested in looking into. Identify theft for someone shopping to save the most money to help make ends meet might ruin their life, whereas the loss of business/revenue/profit by either the seller or buyer to Amazon is laughable.

> The internet is based on trust.

Maybe that's why we need to move towards blockchain-based networks since trust is not required on blockchain, only proof.

Then people have to trust the people with the time, energy, and interest to know how to develop the stuff behind it. All it does is shift the trust to people who are even less accountable.

The exact same goes for PayPal.

We were routinely getting emails saying "I'm not comfortable sharing my CC info with you" (even though it goes through a processor), so ended up adding PP as an alternative. Guess what - now we get to see their full name and physical address, neither of which we need, because we sell software licenses. I'm guessing that people are more concerned with needing to deal with compromised cards than they are worried about over-sharing of sensitive personal details.

Why would anyone care if you had their address, or email address? Why would Amazon be interested in going into details about an email address leak? Outside of a handful of people who get excited by every leak no matter what, nobody cares. It's an email address. You get some more spam maybe? Big deal.

Because Amazon leaking your email address means you are registered on Amazon; there is a high likelihood that you actually purchased stuff there, and therefore they have your address on file, and maybe even your credit card.

Since a lot of people re-use passwords, if your email is also contained in one of the countless breaches that we've seen cropping out in the last few years, there's a good chance that your Amazon account is using one of the pwned passwords: therefore Amazon's statement that people should not change their Amazon password is potentially harmful advice.

> nobody cares. It's an email address. You get some more spam maybe? Big deal.

Go on then... post your e-mail address.

People care because it begs more questions. Why is Amazon leaking email addresses? What part of their system is unsecure? Can we trust Amazon at all?

Presumably because nobody cares about the security of email addresses. The part of their system which handles credit cards hasn't been shown to be compromised, but maybe Gmail's spam filter needs to work a little harder. (I've already spent longer writing this than I spend going through my spam folder each year)

If a company's user email list is hacked, how much harder is it to attack other information? Financial information (e.g., credit cards) usually get extra security, but plenty of other information is typically stored right next to email addresses (e.g., user behavior history, IP addresses, signup dates, pricing info, password hashes, friend connections, etc etc etc).

So whenever a company says that only their user email addresses were compromised and nothing more, I'm pretty skeptical of the validity of their assertions.

> Why would anyone care if you had their address, or email address?

It's for the same reason that you don't post your name, address, and email address in a signature of your posts on HN.

American payment providers are the tools of the devil. I have a CC because its basically the only way to pay in the US but I will never use it anywhere else.

Yeah, when I used to sell on Amazon about 10 years ago, I'd see celebrities' names and phone numbers.

One time Jimmy Kimmel ordered some gimmicky yoga thing and wanted it overnighted to his house along with a gift card. I checked and it was his girlfriend's birthday the next day. I called up offering to gift wrap it at no charge just hoping to talk to him but I ended up getting his assistant. Still offered the gift wrapping which they appreciated.

You only get shipping address, not billing address, right? I have always got my Amazon stuff shipped to a work office address, so hopefully have kept the residential (billing) address from sketchy sellers! heh

Just a billing/customer name but no address. Email communication goes via Amazon so they can cut you off from the customer and also so they can remove email addresses and link, but they can't do much if a seller wants to call up or send promotional material in the package.

Hmm, I see. In the past I ordered what ended up being a scam/"mistake"-priced item on Amazon, and I left negative feedback for the seller seemingly purposely baiting & switching customers by pricing items substantially low, cancelling the order on them, and offering them a store discount if they remove the negative review (this appears to be their long-term MO, as per the countless other reviewers experiencing the same bait & switch). A rep from the respective store actually called me on my cell phone, which is not listed in my shipping address (and is not in any public listings anywhere). Amazon should be more upfront/clear about what information is actually passed to a seller on their marketplace (ignoring manually scouring through EULA/ToS).

Yeah the only reason Amazon provides the phone number is because a lot of carriers require a number to be on the label.

There are some rules around it listed here: https://sellercentral.amazon.com/gp/help/external/200386250 But yeah, it is going to be a hard one for Amazon to enforce unless a number of people complain about a seller.

I love that site.

Thankfully I'm in the habit of using throwaway passwords for sites I consider throwaway.

I have noticed recently that I've been getting a lot of extortion spam, demanding bitcoin and saying that they know my passwords have compromising footage of me, having pwned all my devices. For proof they include a password I used on something like pandora, to the service-specific email address I set up for pandora. It's quite funny but I bet it's caught quite a few people with a guilty conscience out.

any of my actual email addresses don't show up on that site. Any of the email addresses I use for random web sign ups all appear on that site. I wouldn't use my bank password on any other site, why would I use the same email address?

If you have been on the net long enough this will creep you out: https://haveibeenpwned.com/

Checked with lol@gmail.com, you have to add 14 other 'l's (lolllllllllllllll@gmail.com) in order to result in a green good news. How can I validate the claims? I'm a bit skeptical seeing it doubles as a sales front for 1password.com.

It just cross references emails with public hack dumps. I have 7 listed breaches on sites with the email I've had forever. Those accounts didn't compromise my opsec in any way but it is interesting to see. The average person using the net for a while has some on there. It is an interesting tool. If someone is trying to hack you they might start there and see what your old passwords looked like.

Do a bit more research: you'll find that Troy (the guy who runs the service) has been working on this for several years before any involvement with 1password, and so far he's been very transparent about what he does with breach data and also about his relationship with 1password. Whenever he gets access to an unverified dump he first tries to verify its authenticity with the company or service that was pwned, then gets in touch with people whose details are in the dump to verify if the data is real.

I'm aware, but my question is how can I verify it myself instead of taking his word for it.

You'd have to download each of the public hack dumps and check for your email in them.

I've verified some of the reported breaches myself (from publicly available password dumps). It's not a 100% given that those matching means it's all good, but it's a pretty solid indication.

This is how it looked for me: I few days ago I was shopping on Amazon and they showed me a message, you already purchased this product. See order details. I was surprised since I did not buy it before. After clicking the link, I was shown details of not my order, including name, address and email where a product was shipped to.

Maybe someone released a pretty aggressive page cache to help handle "Black Friday" shopping.

Sounds like the steam cache issue three years ago: https://www.youtube.com/watch?v=dkSslseq9Y8

Ahh, yeah. Steam's explanation: https://store.steampowered.com/news/19852/

I'll share a similar experience with Asics (the running shoe company) a couple of weeks ago.

Out of nowhere, I received an email from Asics that contained another customer's name, their email address, phone number, and that customer's private message (apparently part of a customer service case). Bizarre. I informed the other customer, who was equally surprised but somewhat grateful for the notification. And I spent an hour or so reporting the incident to various levels of Asics worldwide (I'm in Canada, this customer was in the USA, and their privacy office apparently resides in the EU), partly out of curiosity to see how a small but concerning issue might be handled.

Summary: Asics' privacy office got a customer service manager to contact me for details of the incident. They said "sorry" and "it won't happen again". Okay. ?

This is already a better response than I would expect from most multinationals. Thanks for sharing.

This sounds like a possible reason why they can’t disclose the full extent of it. Cloudbleed was pretty tough to ascertain the extent of. Not a lot of caches I’ve had experience with have deep tools for introspection and auditing. I don’t believe they’re developed that way.

Even more fun I recently had someone outfitting their brand new restaurant in New Jersey using my email address on a bunch of different sites like Amazon and Walmart. It was getting annoying so I was going to send them a text message telling them to get their own damn gmail account but they seemed to have stopped.

Just imagining the damage I could have caused using the 'forgot password' link and their stored CC info...

One thing I wanted to add is that I wanted to report this issue to Amazon right away, it was very concerning to me. So, I clicked Ctrl+F to search for "contact" then "support", I went quickly through a few drop downs on the navbar, and I found nowhere any indication I can easily contact Amazon support to report it. I moved on and forgotten about this. So many companies make it super hard to contact their support.

There's no big blaring 'contact us' button but it's not that hard to find.

In the footer is a link to 'help'. On the help page you just click 'need more help' and there's the contact us link.

Uh, that just sounds completely unrelated. You didn't get your "email" "exposed", your account got pwned.

Why so? This is how somebody's data was exposed to me, and how my data was exposed to somebody else.

Ah, I see what you mean, at least about the other person's data being exposed to you. I interpreted your story as someone making unauthorized purchases on your account. Do you think they accidentally merged your account or order history with this other person's? That's much worse than what they're currently admitting to, to say the least.

My other question is where you saw the email address on the order record. I'm looking at my order history and can't even find my own email.

This is one of the less appreciated clauses of the GDPR: That companies are required to disclose data breaches within a reasonable time-frame, and users have the right to know about any exposure of their data.

> This is one of the less appreciated clauses of the GDPR

One wonders if this clause should have instead been its own, separate, narrowly focused legislation and enforced specifically as such.

Any particular reason? Seems like a reasonable thing for the GDPR to have.

Same reason you might do a gradual refractor instead of a large software rewrite. The more narrowly scoped a piece of legislation, the more feedback and implementation/enforcement can be tailored to the satisfaction of all before increasing scope (or not if ineffective). In the GDPR's case, it superseded existing data protection legislation because of a somewhat opposite mindset: the scope/consequences/enforcement weren't large enough. Also, such size potentially dilutes differing priorities by lumping several goals together thereby marrying its implementation success/failure to the general success/failure of the overall legislation.

Writing laws is like writing software in every way except:

1. You have hundreds of code reviewers, many of whom will have their own motivations

2. The code base is hundreds of years old, poorly maintained and often contradictory in its goals.

3. You have hundreds of millions users.

4. the machine that executes the code is ill-defined and will change far before the code you write is retired.

An program written in an ill-defined language being run by a malicious interpreter with an agenda would be a really interesting project in seeing how far you could twist the meaning of the original program.

I mean, snarky people might refer to 'optimizing compilers' using 'undefined behavior' in C.

There are some known issues of compilers eliding the zero-ing out of secret data. There is no portable way of enforcing this.

> run by a malicious interpreter

good grief... I live in this world!

IMO legislators should spend most of their time (at least until a reasonable "break even" is achieved") striking old, erroneous, irrelevant laws.

These laws don't cost very much because they get deprecated through less formal mechanisms (they are reinterpreted, or the bodies responsible for enforcing or adjudicating them decline to do so), which makes this a very inefficient use of a legislature's time.

Better yet, attach a sunset clause to every law, proportional to the number of votes it gets (and maybe unanimously passed = no sunset). Now they'll have to spend some of their time renewing old laws, and if anything is too toxic for the majority to vote for, it goes away.

That would get rid of obsolete laws, but I'm not sure people would enjoy all the side-effects such a law would have, at least in the United States.

For example, many more opportunities to cause government shutdowns, and many more must-pass bills that can be loaded with pork.

It would be an interesting test of what is actually "must pass", though.

I also think it would encourage less partisan and more consensus-built legislation if the number of votes it passes with extends the amount of time before it sunsets, esp. if the relationship is not linear. Right now, if you have 50%+1 vote in the House, and 60 in the Senate, you don't have to care about the rest, so you can make legislation as extreme as you can while remaining within those boundaries. But if the difference in getting extra votes is a renewal vote in 25 years (with, say, 3/4 supermajority passing) versus just 5 years (50%+1), those extra votes may well be worth fighting for with some concessions.

> loaded with sunset port.

ftfy. and I'd add that being from the US, I'd expect that sunset clauses on all laws would have the effect of giving the legislators something to do other than raise money for reelection.

It sounds like they did that but TC wants more. I'm not really sure why HN allows techcrunch stories on the front page. TC is tabloid journalism at its finest.

They did not disclose any of the following as specified by the data breach notification requirements of the GDPR:

The name and contact details of the data protection officer or other contact point where more information can be obtained

The likely consequences of the personal data breach

The measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects

The are also required to submit the following information to EU authorities, but have given no indication that they have done so or are planning to:

The categories and approximate number of data subjects concerned

The categories and approximate number of personal data records concerned

The mail that Amazon sent to affected customers was barebones and contained almost no information.

They probably aren't obliged to speak to TechCrunh or any of the media about it, though.

I think only Amazon Europe account was leaked. We have account in couple of countries and I got the email only on my UK account.

I live in USA, have only ever used Amazon in USA, and I got the email.

I am in Eastern Europe and have account only in US Amazon. This morning I also got that email..

I am in the US and got the email to my personal account, not my seller account.

We could really use a good journalist to go out and find the answers to those questions right about now.

There's been now and then reasonable TC articles that produced good conversations here on HN though. They also make mention of a reasonable number of startups which is obviously something that sparks interest to many here on HN.

> It sounds like they did

Which parts of the specific GDPR requirements did they comply with?

GDPR isn't a US law.

But Amazon is an EU company.

They're incorporated in Luxembourg in order to avoid taxes, making them subject to EU laws (after all, they are subject to Luxembourg tax laws -- that's why they structured their business that way).

You can't have your cake and eat it.

"Besides the brevity, what's giving people pause is they sign the email http://Amazon.com Why cap the "a" and why no https://? Strange"

This one is easy to answer: the customer support people aren't particularly technical. In many ways, Amazon is a weird mashup of a traditional retailer and a tech company.

To add insult to injury, http://amazon.com redirects (301) to https://amazon.com, but does not publish HSTS headers nor is it in the hstspreload list (but www.amazon.com is).

https://hstspreload.org/?domain=amazon.com https://hstspreload.org/?domain=www.amazon.com

Yeah, this is one of those things that might look weird at first but is probably just a wonky quirk of bureaucratic systems, PR engagement, non-technical writers and probably even autocorrect. It's not far from the realm of possibility that someone tried to sign off a pre-written e-mail with "Amazon.com" and somewhere along the line a token "http://" got added to it by sheer mistake.

That being said, one of the biggest companies in the world should be more attentive when sending out e-mails like this.

based on spam email i have received, that i clearly should not have, i believe this was an exposure to marketplace sellers from whom you have bought a product.

I am very careful with my email. i’m not just guessing here. i actually reported it to amazon security. (no answer from them of course.)

eBay are particularly careless in that regard.

There's no reason that a seller should ever see the customer's actual e-mail address on such a site but I'm up to ebay5@ on my mail server due to direct spam from sellers from whom I bought one item in the past.

No, sellers, I did not 'opt in' to your spam just because I bought something. But why does eBay ever give them the address?

Oddly I've never had a problem with random Chinese sellers, it's always Euro or US ones.

Chinese sellers have been very pleasant to deal with IME, including obviously hand-written niceties, handwritten thank you notes (maybe not in the best English but the sentiment is there) for a bunch of stuff. Occasionally small 'gift' items, have gotten Chinese fun-size snacks too.

There are US sellers that have resulted in 27+ emails _within one day of purchase_, one seller has managed to sign my ebay_a10f9@ alias up for five separate companies reselling third party warranties / affiliate spam for the above. What the fuck?

I have a different point of view as a longtime eBay user on both the buying and selling side. The more the company acted to "re-intermediate" buyer-seller interaction by doing things like restricting auction content, channeling communication through their own messaging system, concealing identities in feedback to prevent buyers and sellers from doing reasonable due diligence on each other, prohibiting various payment methods in order to shove PayPal down everyone's throats, and so on, the less interested I became in using eBay in general.

There was a strong sense of community on eBay in the company's early years that gradually went away over the years, and I still miss it. eBay is now dominated by medium-to-high volume corporate sellers, and that was not how it was originally supposed to work.

They intentionally provide this information to marketplace sellers. It's arguably poor design but it's definitely not an unintentional security flaw. Marketplace/FBA sellers have talked about strategies for utilizing customer email address for years [1]

[1] https://sellercentral.amazon.com/forums/t/how-to-access-all-...

No, the email address listed there is an @marketplace.amazon.com address that forwards messages to the customer while adding an Amazon footer, not the actual user email address. If the latter was shared with sellers somewhere, that was not intentional.

Also, your Amazon profile is public by default, especially any wishlists.

This is incredibly creepy. A few months ago I realized this and was able to find some friend's profiles and see their reviews. I hate implicit sharing/suggested friends/etc in services especially non-social services. For instance, my friend is following me on a tech shopping site I use... something I have 0 interest in. I've started attaching pseudo anonymous sites to a backup email address for this reason. If I want to friend someone I'll find them.

Wow. That's incredible. I would say this is completely against what I would assume the expected behavior would be.

It kind of makes sense for wishlists.

Great reason to setup wildcard e-mails so you can do something like amazon@yourdomain.com!

I would assume that's how OP knows the leak came from amazon (assuming the address was more obscure than amazon@whatever.com)

Might not be best idea to use exact word amazon, have gotten this email before -

> use of Amazon trademarked words, images, or reviews which may include variations or misspellings and this is a violation of our Trademark Guidelines

> [...]

> An example of the above violation can be found here: amazon@[mydomain]

I would be surprised if that was enforceable, it sounds more like an effort to ensure they're proactive about their trademark.

Well it's certainly enforceable in that you won't be able to use it for your Amazon account. They are free to reject any email address they like.

I would also not suggest using the exact company name/URL in the email address used to sign up. One time I couldn't log in to my password manager service and after a _lot_ of back and forth it turned out that after some years my email was somehow scraped from their DB for using their domain name in my email... So now I always go with something obscure but still traceable back to the service it was used for.

No it's the other way around. I am a marketplace seller and I have started receiving phishing links to my unique amazon email account.

Sellers have been exposed not buyers.

I'm not a seller and I got the email.

Some AI laughed at your email, put a +1 on a category threshold counter and then deleted it. I hope you didn't put too much effort into it.

Do Perl scripts qualify as AI?

Amazon is being so strangely cagey about this - I followed up on the email asking who saw my email, and they sent back the exact same response.

Aren't all programming mistakes and bugs "technical errors?"

One comment further down stated that it might have affected marketplace sellers. Amazon doesn't really put the same amount of thought and resources on marketplace than Amazon retail even if they should IMHO.

Regardless, that's AFAIK the first time that ever happened to Amazon. Bad enough if it was third party sellers. A catastrophe if it was Amazon customers. With all the controversy regarding counterfeits in some countries an incident that bears the risk of impacting customer trust is the last thing Amazon needs. Maybe I should have sold my stock 4 months ago... But maybe Q4 will be stellar and stock goes up again in January. I should think about a stop order, just in case Q4 disappoints that year.

An email address isn't secret, is it? It's sent back and forth in clear text through any number of relay servers. I consider my name and email address to be basically public information. Along with (unfortunately) my Social Security number.

If Amazon exposed any data fields more sensitive than email address, I would call that stonewalling/covering up as TC seems to be implying. But otherwise it kind of just sounds like TC being all petulant that Amazon wouldn't tell it everything it wanted to know. And the motivation there is likely to be the generation of clicks, not the protection of customers.

Take the "number of users affected" for example. Knowing that info doesn't help any individual customer. But it does help journalists drum up pageviews, or at least I feel like they believe it does. Having a big number in there is like this (dubious) Holy Grail of page-irresistability. I'm just judging from how, for example, the reporters on the TV news always bug their eyes out and raise their voice and talk really slowly and emphatically any time they come to a number. "The pool was reported to be FOURTEEN FEET DEEP..." "The petition has THIRTY THOUSAND signatures..." Wow! A number! I'm supposed to be all impressed I guess! ZOMG let me throw all my money at you right now!!!!

Amazon employee here, but the statement I'm making is of my own.

Internally we treat customer names and email addresses as the second highest data classification. The highest one is credit card/financial/password data.

What does it mean? It means that there are a bunch of requirements that a software team must fulfill and pass (reviewed by an SDE trained in the process outside the team). This makes accessing this sort of data a PITA for a lot of people, and I can see why they why they would send out notifications when a breach like this happen. Amazon takes security very seriously, and it in fact creates quite a bit of friction to many engineers. However, I'd rather than than the break things and ask for forgiveness model like some other companies (not going to name names here)

I can confirm that names and email addresses are classified as saltysugar states, and the security reviews. So they do have to pass all those requirements for secure storage and transmission, but then names and emails are made visible by default through mechanisms like reviews, profile, wishlists, and that passes the review because it is the user's choice.

I don't even think this is anything nefarious by Amazon. It's more that teams dedicated to security issues consider it out of their lane to deal with conflicts between the designed UX and actual user expectations; especially for privacy issues where even asking the person isn't a reliable way to understand what they want.

> saltysugar

Can you elaborate? I've never heard this phrase before and google results aren't very helpful.

It's not a policy, it's the username of the parent's poster.

LOL, now I realize the wisdom of not referring to people by usernames... "saltysugar states" sounds completely plausible.

I notice you don't have your email address in your HN profile.

I do though.

What's your email address?

..and name and Social Security number?

Every major tech company has had this problem, yet people still keep sharing their personal info (even home address, phone numbers, social security numbers) online. Don't share anything you wouldn't yell out on a crowded street to strangers.

The video advertisement on the linked webpage crashed Safari on my iPhone.

Hmm... it seems this drip of bad news in big tech is setting up for some heated debates on regulation. It will be interesting how proactive the Europeans are with GDPR.

"Goal accomplished"

- traditional media and anti-big-web-tech

Change the record.

Old media might have an axe to grind with big tech making them obsolete, but the cavalier attitudes of big tech companies are pissing off a LOT of people.

I don't understand this. In the American startup I'm working we're extremely careful with respectful data practices due to ethics and GDPR (we have a lot European customers). Why doesn't Amazon give a shit about GDPR? Do they have a leverage?

> Why doesn't Amazon give a shit about GDPR?

I would assume perceived toothlessness. A better question is why should they? Or else what? Is that "what" absorbable by them to not eagerly spend a bunch of money and be shown to kowtow to governments making very large internet laws? Can they just pay it some lip service for now like their peers?

amazon doesn't have european headquarters

They do, so they can avoid taxes all over the world. Not only do they have an EU incorporated company, if you believe their tax filings their primary business is based in Luxembourg. This is obviously bullshit, and is done to avoid taxes, but they have structured their company in a way that makes them very much an EU company.

If they weren't an EU company they couldn't take advantage of Luxembourg's tax laws. So it follows that they have to follow all EU laws. Because they're incorporated in the EU.

you re right. The idea here is that luxembourg (or any country) would have to weigh any violations against their interests to keep amazon in their territory.

Of course they do. Their EU HQ is in Luxembourg.

This is irrelevant as long as they have customers whose rights are protected by GDPR.

i am mistaken. But the idea is , if they were not based in europe , which country's DPA is going to go after them? Where will the money be paid?

But they have european entities (AWS, fulfilment centres, etc).

If they don't choose to put themselves somewhere, everyone may go after them separately.

... and then they can negotiate with the country that gives them the smallest punishment. (under gdpr only one will go after them at a time).

Negotiating with every country in the EU serially is not that much better than in parallel.

Likely Luxembourg, where they are headquartered. Unfortunately (as we found in the DieselGate scandal -- where car companies directly caused thousands of deaths), Luxembourg doesn't have very strong regulatory teeth. Here's hoping they're more strict.

Not really? Any EU customer could report them to their own DPA who would have to investigate the issue and resolve it. There's no reason any DPA in Luxembourg would have to be involved the way I understand it (except for customers in Luxembourg of course).

Would explain the billions of new spam emails I've been receiving.

Amazon and my spam filter have a long and intimate relationship.

Wasn't there another post on HN of this?

I think it got black holed by the mods.

Watch this space https://amazon.com/profile

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact