Users have said they are receiving emails from Amazon containing invoices and order updates on other customers, TechCrunch has learned.
Jake Williams, founder of cybersecurity firm Rendition Infosec, raised the alarm after he received an email from Amazon addressed to another customer with their name, postal address, and their order details.
Williams said he ordered something months ago which recently became available for shipping. He checked the email headers to make sure it was a genuine message.
“I think they legitimately intended to email me a notification that my item was shipping early,” he said. “I just think they screwed something up in the system and sent the updates to the wrong people.”
He said the apparent security lapse was worrying because emails about orders sent to the wrong place is a “serious breach of trust” that can reveal private information about a customer’s life, such as sexual orientation, proclivities, or other personal information
Several other Amazon customers also said they received emails seemingly meant for other people.
“I made an order yesterday afternoon and received her email last night,” another customer who tweeted about the mishap told TechCrunch. “Luckily I’m not a malicious person but that’s a huge security issue,” she said.
Another customer tweeted out about receiving an email meant for someone else. He said he spoke to Amazon customer service who said they will investigate additional security issues.
“Hope you didn’t send my sensitive account info to someone else,” he added.
And, one other customer posted a tweet thread about the issue, saying they spoke to a supervisor about the issue who gave a “nonchalant” response, she wrote. She said the supervisor said the issue happens frequently.
A spokesperson for Amazon did not return a request for comment when we asked how many customers were affected and if the company plans on informing customers of the breach. If we hear back, we’ll update.
It’s the second security lapse in a year. In November the company emailed customers saying a “technical error” had exposed an unknown number of their email addresses. When asked about specifics, the notoriously secretive company declined to comment further.