On Monday, e-commerce giant Amazon confirmed that some of its employees’ data had been compromised following a “security event” at one of its third-party property management providers (via TechCrunch).

Despite the severity of the security incident, the company has ensured that its own systems, including those of Amazon Web Services (AWS), remain secure.

It also added that the security breach at the vendor was limited to work-related contact details such as employees’ work emails, office phone numbers and building locations, and that no sensitive information such as be it social security numbers or financial data, has not been compromised.

“Amazon and AWS systems remain secure and we have not experienced any security events,” Amazon spokesman Adam Montgomery said in a statement to TechCrunch.

“We have been notified of a security event at one of our property management providers that has affected several of its customers, including Amazon. The only Amazon information involved was employee contact information, such as work email addresses, office phone numbers, and building locations.”

While Amazon did not disclose the number of affected employees, it noted that the security vulnerability responsible for the data breach has since been resolved on the vendor’s end.

Amazon confirmation to come a report from cybersecurity vendor Hudson Rock, who discovered the stolen information posted on the hacking forum by a threat actor using the alias “Nam3L3ss”.

It said the stolen information posted on BreachForums, a notorious site in the hacking community, included data from Amazon and 24 other major organizations, including MetLife, HP, HSBC and Canada Post.

According to Hudson Rock, the threat actor claims to have more than 2.8 million rows of individual Amazon employee contact information, including their full names.

The firm also reported that the threat actor claimed to have only leaked less than 0.001% of the total stolen data, promising more releases in the future.

The cybersecurity firm says the stolen information dates back to May 2023, when a critical zero-day vulnerability was exploited in MOVEIt, a popular file transfer platform used by many companies.

This flaw allowed an unauthenticated attacker to bypass authentication protocols via an SQL injection, potentially granting unauthorized access to the MOVEit Transfer database and gaining access to sensitive data.

The famous Clop ransomware and extortion ring were claimed to be behind the MOVEit breach, which was the biggest hack of 2023.

For example, the Oregon Department of Transportation in the US had 3.5 million records stolen.

Instead, the Colorado Department of Health Policy and Financing and a US government contractor, Maximus, stole 4 million and 11 million records, respectively.