10/1/23 update adds Amazon statement below.
Amazon mistakenly sent out purchase confirmation emails for Hotels.com, Google Play, and Mastercard gift cards to customers, making many worried their accounts were compromised.
The emails were sent out last night, with customers reporting receiving three separate emails from Amazon Prime for each alleged gift card purchase. However, no purchases are found in their Amazon Prime accounts.
“I just randomly received 3 gift card emails in a row (within a minute) from amazon ([email@example.com](mailto:firstname.lastname@example.org)) and I am really confused by this,” reads a Reddit post where many Amazon customers reported receiving the emails.
News of the emails was also heavily reported on social media, with cybersecurity researcher Mike Grover (_MG_) sharing screenshots of the received emails on X.
The emails used a subject line similar to “Important information about Hotels.com gift card order” and had an email address of email@example.com.
“Thank you for purchasing Hotels.com gift cards from Amazon.com,” reads the email sent to Amazon customers.
“We would like our customers to be aware of some important information relating to purchase of Hotels.com gift cards.”
“There are a variety of scams in which fraudsters try to trick others into paying with gift cards from well-known brands. To learn more about some common scam attempts that may involve asking for payment using gift cards please click on the button below, or alternatively contact us now.”
The ‘See more information’ button links to a web page on Amazon.com that explains how gift cards are commonly requested as payment in online scams.
The email headers show that they were sent using Amazon Simple Email Service (SES) and passed DKIM and SPF authentication headers, indicating that the emails were verified as coming from Amazon.
While Amazon’s media contact has not responded to our queries about the emails, a support agent told BleepingComputer that they were sent to all customers in error.
Update 10/1/23 6:41 PM ET: Amazon has confirmed that the emails were sent by mistake and will be contacting all impacted customers.
n error in our email system resulted in an order confirmation email being sent to customers who did not purchase a gift card,” an Amazon spokesperson told BleepingComputer.
“We have fixed this error so it won’t happen again, and are emailing these customers to inform them of the error and apologize for the inconvenience.”