(Credit: alexdndz/Shutterstock)

It's hard to overstate how big of a company Amazon is and how much customer data it possesses and accumulates each day. In 2017, the company shipped more than five billion packages just to its Prime subscribers. In this same time frame, Amazon also spent more on research and development than literally any other US company. As Ron Burgundy might say, they're kind of a big deal. So if there's a user data breach, the implications may be serious.

Today, a number of Amazon customers received an odd email from the company notifying them of a recent breach that exposed their email addresses. The message reads, "We're contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action."

SEE: Amazon's Alexa virtual assistant: How to delete the data it records

The message is signed "Customer Service," below, which is a URL that reads "http://Amazon.com." The company no longer uses HTTP, so clicking on this will at least redirect users to the website's encrypted HTTPS pages instead. But as security guru Brian Krebs pointed out on Twitter, this is an oddly nonstandard way to direct users to your website.

Amazon reached out to us for this story to emphasize that the Amazon link in the email will take the user to a secure domain. They added that neither the website nor company systems were compromised.

But as security guru Brian Krebs pointed out on Twitter, this is an oddly nonstandard way to direct users to your website.

According to TechCrunch, Amazon has declined to provide any additional details on the nature of this breach. Such as, when the breach occurred, how many customers were affected, who did it, and whether or not law enforcement has been notified or briefed.

The design of the email is also unusual because it does not greet the customer by name, nor does it provide any links to or contact information for Amazon's customer service department. Company emails also customarily have brand logos at the top, and a "footer" at the bottom providing a standard set of links to access various sections of the website.

As this revelation arrives less than 48 hours before retail's biggest shopping day of the year, there is a heightened degree of concern for the safety and privacy of customers' data. Amazon asserts that no changes need to be made on the customer's end, but with the minimal level of information they provide, it may be difficult to take them at their word.

FOLLOW Download.com on Twitter for all the latest app news.

There's at least one thing you can do to help protect your Amazon account

Email addresses and even passwords can get hacked, but there are ways to fight back without having to delete an account. One example is app-based two-factor authentication.

With this system, you provide a temporary code to Amazon after you've logged in with your user name and password. This can prevent an unauthorized user from getting in, because that code is sent to a specific device that you've selected (usually your mobile phone).

To set that up, grab an app such as Google Authenticator (Android, iOS), then go to your Amazon account's security settings page. Click on "Add new app," open Google Authenticator on your phone, tap the round "+" button in the app's bottom right corner, tap "Scan a Barcode," hold your phone's camera up to the QR code on your computer screen, enter the provided code on the Amazon account page, and click the button labeled "Verify code and continue."

You'll need to enter this code every time you log into Amazon, but it should protect you if your password gets compromised.

Amazon's login security page may default to sending codes via SMS. To change this, simply tap the Change link in the Preferred Method section and follow the on-screen instructions.


  • Amazon notified an undetermined number of customers about a data breach today, saying that their email address had been exposed. However, the company has declined to elaborate beyond the minimal details provided in the email notification.
  • If your Amazon account is not protected by app-based two-factor authentication, this is probably a good time to set it up, especially since Black Friday is almost upon us.

Also see

Tom McNamara is a Senior Editor for CNET's Download.com. He mainly covers Windows, mobile and desktop security, games, Google, streaming services, and social media. Tom was also an editor at Maximum PC and IGN, and his work has appeared on CNET, PC Gamer, MSN.com, and Salon.com. He's also unreasonably proud that he's kept the same phone for more than two years.