2 min Security

New MOVEit exploit hits Amazon, HP and McDonald’s

New MOVEit exploit hits Amazon, HP and McDonald’s

Amazon confirms a data breach in which employees’ personal data was leaked. This data breach is part of a larger campaign created by a new exploit of the well-known MOVEit vulnerability.

In a statement to The Verge, Amazon states that the data breach leaked employee e-mail addresses, phone numbers, and office locations. The data breach occurred through a property management software vendor; the company’s own systems were not penetrated.

In total, more than 2.8 million lines of Amazon data were allegedly involved. But it remains unknown how many employees were affected.

Fragment uit een spreadsheet met geredigeerde werknemersgegevens met betrekking tot Amazon.com, waaronder namen, e-mailadressen en functienamen.

Part of a larger campaign

The attack on Amazon is part of a larger attack on companies, HudsonRock security specialists noted. Other affected companies include insurer MetLife, HP, merchant bank HSBC and McDonald’s.

A hacker calling himself Nam3L3ss made the data breach public. The stolen data includes employee data and may also include entire organizational schemes. The stolen data further appears to date from 2023.

MOVEit strikes again

The cause of the data breach is a new exploit of the well-known file transfer vulnerability MOVEit, or CVE-2023-34362. The vulnerability allows hackers to penetrate a MOVEit Transfer instance with a manipulated SQL injection. This gives them access to the used databases, such as MySQL, Microsoft SQL, and Azure SQL. The hackers can then access the structure and content contained in these databases.

Also read: 1,800 networks at risk from new MOVEit vulnerability