close
close

MOVEit data leak exposes employee data from Amazon, HSBC and others – what you need to know

A new wave of data leaks related to the infamous MOVEit vulnerability has rocked the cybersecurity landscape once again. Different than last year Cl0p ransomwareThis latest MOVEit data leak is attributed to a new threat actor: “Nam3L3ss.” This actor targeted large companies and published large amounts of sensitive employee data on a dark web forum.

The affected organizations include well-known names such as Amazon, HSBC, British Telecom and McDonald’s. Overall, the leaked records reveal confidential employee directories that span thousands of entries per company and include contact information, job titles and even internal structures.

For affected organizations, the threat is real and significant: This level of exposure provides a potential roadmap for attackers looking to exploit the stolen data for future targeted phishing campaigns or other social engineering attacks.

In this article, we will outline the key details of the breach, the organizations affected, the threat actor’s claims, and explore potential impacts.

What happened? Background to the MOVEit data leak

The latest data breach attributed to the threat actor “Nam3L3ss” occurred on the popular hacker forum BreachForums. Through a series of posts, Nam3L3ss exposed extensive employee directories, including personal information, organizational hierarchies, and additional internal files.

The threat actor’s leak posts, including the latest MOVEit-related databases

On November 8, 2024, SOCRadar’s Dark Web News module alerted our customers to the threat actor’s leak-related posts. According to the information in these posts, the data source is MOVEit, which suggests that the data disclosure exploits the same MOVEit Transfer vulnerability that was exploited in last year’s Cl0p ransomware attacks.

The leak posts, displayed in SOCRadar's Dark Web News module

The leak posts, displayed in SOCRadar’s Dark Web News module

In the recent Nam3l3ss leaks, affected companies reportedly include industry leaders such as Amazon, HSBC, MetLife, Cardinal Health, Fidelity, US Bank, HP, Canada Post, Delta Airlines, Leidos, Lenovo, McDonald’s and others. Following these high-profile leaks, customers of affected organizations may be at increased risk of social engineering and fraud schemes.

Also worth noting is that while the breach affected many companies, data leaks were found at Amazon and HSBC, where HR/accounting records were exposed but no customer data appears to have been compromised. These breaches were found to occur around May 31, 2023.

Leaks related to the MOVEit vulnerability (CVE-2023-34362); Is Nam3l3ss related to Clop ransomware?

This latest breach appears to be related to the critical MOVEit Transfer vulnerability identified in 2023, identified as CVE-2023-34362, which allowed unauthorized access by bypassing security controls in the file transfer software. This vulnerability has been exploited by various threat actors (such as Cl0p and LockBit) in the past and impacted key industries worldwide.

Nam3L3ss cites MOVEit as a data source in their posts, leading researchers to believe that the vulnerability may be related to this compromise. However, it is still uncertain whether Nam3L3ss directly exploited MOVEit itself or exploited data disclosed by previous attackers.

An Infostealers blog goes on to say that the infamous Cl0p ransomware group has previously used this exploit, but many companies affected by this breach, such as Amazon and McDonald’s, have not previously been associated with Cl0p. Additionally, the threat actor’s “manifesto” denies any connection to ransomware groups and instead claims to expose systemic vulnerabilities; They also state that they are not a hacker.

Details about CVE-2023-34362 (Source: SOCRadar Vulnerability Intelligence)

Details about CVE-2023-34362 (Source: SOCRadar Vulnerability Intelligence)

For the latest insights on vulnerabilities like CVE-2023-34362 in MOVEit Transfer and emerging threats, SOCRadars Vulnerability intelligence The module provides detailed updates on active CVEs and threat trends.

Intentions and approach of the threat actor – a self-appointed observer, not a hacker

In the manifesto we mentioned, released alongside the data leak, Nam3L3ss claims that they are not actively hacking organizations, but are “simply monitoring the dark web and exposed online cloud services.”

Nam3L3ss disputed the “hacker” label, saying they targeted misconfigured and publicly accessible cloud storage services such as AWS buckets, Google Cloud and FTP servers, as well as open databases on platforms such as MongoDB.

A manifesto published by the threat actor in the MOVEit data leak posts

A manifesto published by the threat actor in the MOVEit data leak posts

The manifesto also hints at a blame game, as Nam3L3ss argues that when companies or government agencies fail to protect sensitive information through encryption or other safeguards, they are responsible for any breaches, not their third parties. They insist they will continue to publish all unprotected data “until governments take data and PII security seriously.”

Given the MOVEit data leak SOCRadars Dark web monitoring The module gives your organization a proactive advantage by keeping an eye on such threats in dark web forums, markets and underground networks. Timely notifications let you know immediately if sensitive information or assets related to your brand appear in dark web spaces. Here are the main features of SOCRadar’s Dark Web Monitoring module:

  • Instant threat alerts: Get notified when your organization’s assets are mentioned on the dark web.
  • Detecting compromised credentials: Stay up to date on disclosed credentials associated with your organization.
  • Early indicators of data breaches: Recognize warning signs to prevent unauthorized access before it becomes a major problem.

With these features, SOCRadar helps you stay ahead, protect your business from new dark web threats, and protect your brand reputation.

Top Companies Affected by Recent MOVEit Leaks

Among compromised organizations, the following companies have the highest number of exposed records, each exceeding 100,000 entries:

Pursue Records disclosed
Amazon 2,861,111
MetLife 585,130
Cardinal Health 407,437
HSBC 280,693
loyalty 124,464
US Bank 114,076
P.S 104,119

These massive data sets expose employee information at significant levels, underscoring the severity of this latest breach and increasing concerns about potential exploitation such as phishing, social engineering and identity fraud.

Lessons learned from the data breaches at Amazon and HSBC

Since the Amazon and HSBC data leaks were confirmed, the extent of the information disclosed reveals important internal details about both organizations. The researchers authenticated these records by matching email addresses with LinkedIn profiles and other sources.

HSBC’s data set was revealed to cover its global operations, including fields such as user IDs, employee names, email addresses and location details. In parallel, Amazon’s dataset contains information such as employee names, contact details, job titles and internal department codes, exposing sensitive organizational structures that could be vulnerable to social engineering attacks.

Amazon confirmed the breach on November 11, 2024, clarifying that only work-related contact information was compromised, without exposing Social Security numbers (SSNs) or financial information.

Diploma

The recent MOVEit data leaks pose a serious risk to affected organizations, exposing them to potential phishing attacks, scams and social engineering tactics that malicious actors can exploit using stolen employee information. With sensitive internal data like employee names, contact information and more now accessible, cybercriminals have the resources necessary to launch targeted phishing campaigns and identity theft attempts that put both employee and company data at risk.

The reputational damage resulting from such breaches can be significant. Well-known companies such as Amazon and HSBC could face increased scrutiny as these incidents undermine public trust and raise questions about their data security measures.

To further protect against these risks, organizations must take proactive monitoring and response measures. SOCRadars Trademark protection service, served under the Digital Risk Protection (DRP) module. provides comprehensive protection and tracks potential imitators across domains, mobile apps and social media platforms.

Track phishing and scam attempts with SOCRadar brand protection

Track phishing and scam attempts with SOCRadar brand protection

This tool helps your company detect and neutralize fake accounts, phishing attacks and fraud attempts Integrated takedown functionthereby reducing the likelihood of successful social engineering attacks. In today’s threat landscape, deploying these protections is critical to maintaining customer trust and resilience against targeted attacks.

You may also like...