Amazon MOVEit Leaker Claims to Be Ethical Hacker

Written by

A threat actor who posted 2.8 million lines of Amazon employee data last week has taken to the dark web to claim they are doing so to raise awareness of poor security practice.

The individual, who goes by the online moniker “Nam3L3ss,” claimed in a series of posts to have obtained data from 25 organizations whose data was compromised via last year’s MOVEit exploit.

According to Hudson Rock, which verified the data, these organizations include McDonald’s, Charles Schwab, Lenovo, Delta Airlines, HSBC and Amazon – with an estimated five million records leaked so far.

“This structured data reveals not only contact information but also sensitive details about organizational roles and department assignments, potentially opening doors to social engineering and other security threats,” the security vendor warned.

Read more on MOVEit: Critical Zero-Day Flaw Exploited in MOVEit Transfer

However, Nam3L3ss has taken to the dark web to protest their innocence.

“People, I am not a hacker! If something requires a username or password, even a default password, I will not try and use it! I track all of the ransom group sites and have my own tools that auto find AWS, AWS and other sites’ open buckets,” they wrote on Monday. “I download everything I can from ransom group TOR sites and from open cloud services. Once I have it I then clean the data and remove duplicates from the source and sometimes remove fields/columns where the data is useless.”

In a separate post on Tuesday seen by Infosecurity, they claimed to be leaking the data to raise awareness among organizations of poor information security practices.

“Companies and governments alike have a responsibility to make damn sure they are encrypting PII data. Too many companies blame third-party vendors, yet they themselves are transferring unencrypted data to these third parties,” they said. “Those that are sending encrypted data have a responsibility to make damn sure the third-party is keeping it encrypted.”

Despite the individual’s protestations, it’s unclear whether the data they leaked was harvested from third-party sources or if they obtained it directly via the MOVEit exploit. Given the types of data in these 25 victim organizations are similar, it’s likely that the original source could be a single third-party supplier.

Nam3L3ss told Hudson Rock researchers that this breach “is just a tiny portion of the data they have,” with more set to be leaked over the coming days.

Image credit: JarTee / Shutterstock.com

What’s hot on Infosecurity Magazine?