A data leak has exposed the personal information of millions of employees from over 25 companies, including Amazon, Lenovo, HP, and MetLife. The leaked data is believed to have been stolen during a series of attacks targeting MOVEit, a secure file transfer platform, in May 2023.
Amazon Confirms Breach:
Amazon confirmed the leak, acknowledging that over 2.8 million employee records, including names, contact information, and work locations, were compromised. However, they emphasized that the breach originated from a third-party vendor and did not involve access to Amazon’s internal systems or sensitive employee data like Social Security numbers.
Other Affected Companies:
The leak impacts a wide range of companies across various sectors. Here are some of the most affected:
- Lenovo (45,522 employees)
- HP (104,119 employees)
- McDonald’s (3,295 employees)
- HSBC (280,693 employees)
- MetLife (585,130 employees)
Source of the Breach:
The data breach is attributed to a zero-day vulnerability exploited in MOVEit Transfer software during the May 2023 attacks. The threat actor, Nam3L3ss, claims to possess data from various sources, including other ransomware gangs’ leaks and exposed cloud storage buckets.
Impact and Next Steps:
The stolen data could be used for targeted phishing attacks, social engineering scams, or even identity theft. Companies affected by the leak are likely to face reputational damage and potential regulatory scrutiny. It’s crucial for individuals whose information might be exposed to remain vigilant and be cautious of suspicious emails or communications.
This incident highlights the importance of robust third-party security measures and staying updated on potential software vulnerabilities.