Massive troves of Amazon, HSBC employee data leaked
A threat actor who goes by the online moniker “Nam3L3ss” has leaked employee data belonging to a number of corporations – including Amazon, 3M, HSBC and HP – ostensibly compromised during the May 2023 MOVEit hack by the Cl0p ransomware gang, which affected British Airways, the BBC, Aer Lingus, Boots. Zellis, and others.
Nam3L3ss’ post leaking Amazon employee data (Source: Hudson Rock)
More data leaks announced
“The stolen data, which dates back to May 2023, includes employee directories from 25 major organizations,” Alon Gal, CTO of cybercrime intelligence company Hudson Rock, shared.
Here’s the list of affected companies, along with the number of compromised / leaked records (as stated by the threat actor on BreachForums):
- Amazon — 2,861,111 records
- MetLife — 585,130 records
- Cardinal Health — 407,437 records
- HSBC — 280,693 records
- Fidelity (fmr.com) — 124,464 records
- U.S. Bank — 114,076 records
- HP — 104,119 records
- Canada Post — 69,860 records
- Delta Airlines — 57,317 records
- Applied Materials (AMAT) — 53,170 records
- Leidos — 52,610 records
- Charles Schwab — 49,356 records
- 3M — 48,630 records
- Lenovo — 45,522 records
- Bristol Myers Squibb — 37,497 records
- Omnicom Group — 37,320 records
- TIAA — 23,857 records
- Union Bank of Switzerland (UBS) — 20,462 records
- Westinghouse — 18,193 records
- Urban Outfitters (URBN) — 17,553 records
- Rush University — 15,853 records
- British Telecom (BT) — 15,347 records
- Firmenich — 13,248 records
- City National Bank (CNB) — 9,358 records
- McDonald’s — 3,295 records
Hudson Rock researcher contacted Nam3L3ss, who said that they would leak more data in the following days.
“Researchers can’t yet confirm whether the data came from CL0P, affiliates of it, or whether Nam3L3ss exploited these companies on their own,” Gal added.
Amazon confirms data leak
Hudson Rock has cross-referenced emails from the Amazon and HSBC datasets to Linkedin profiles of employees, as well as to emails found in infostealer infections involving employees of those companies, and have confirmed that the leaked data is authentic.
Amazon has confirmed it as well. Spokesperson Adam Montgomery has told the media that the leaked data includes employee work contact information – e.g., work email addresses, desk phone numbers, and building locations – and that it wasn’t sourced from Amazon, but from one of the company’s property management vendors.
According to the VX-Underground collective, the leaked Amazon data set contains employee information, but also details about Amazon physical locations and related costs.
“None of the data (as we’ve seen thus far) contains customer information,” Hudson Rock said, but the detailed employee information can be misused by a various threat actor to mount fraudulent schemes and extremely personalized phishing and social engineering attacks against the affected companies, as well as perform indentity theft.
“The actor Nam3L3ss claims that they are not a hacker and that they are only sharing data that they have downloaded from other sources. They claim to be motivated not by financial gain but out of a desire to hold governments and corporations accountable for protecting citizen data,” Vlad Mironescu, Threat Intelligence Analyst at Searchlight Cyber, told Help Net Security.
He also noted that one source of data that this threat actor commonly uses is information that has been posted on ransomware leak sites, though “Nam3L3ss doesn’t appear to be associated with Cl0p or any ransomware group but is simply re-sharing the data they have found.”
“It is true that the actor is not selling this data, they are posting it for free or for in-forum credits. However, that does not mean there is no damage done – posting the data for free in BreachForums will put it into the hands of a large number of hackers who could use it for a wide variety of nefarious purposes,” he concluded.