A German Amazon customer was able to access hours of audio files from a stranger's Alexa device that included recordings of him in the shower thanks to a "mistake" by one of Amazon's human employees.
Amazon sent the customer a link that included 1,700 recordings of another man and his female companion when he asked to play back the recordings from his own Alexa voice assistant.
He reported the anomaly to Amazon, but the company did not immediately reply, except to delete the files. By then, he had already downloaded them. After weeks of no response from Amazon, the customer notified German trade publication c't, worried the company would just cover up the incident otherwise.
Using the information contained in the recordings, which included their first and last name, the name of their partner, where they lived – even audio of the person in the shower – c't was able to locate and contact the victim, who was more than a little surprised to hear from them. While Amazon had deleted the victim's files, they hadn't actually told him his data was leaked.
The magazine also reported the incident to Amazon – again – interested to see if the company would notify authorities within 72 hours as required by Germany's GDPR law. Three days later, the original customer got a call from Amazon.
When the story became public, Amazon sent the victim new Echo devices and a free Prime membership as a token of their apology. They also claimed they had discovered the breach themselves.
"This unfortunate case was the result of a human error and an isolated single case," said an Amazon spokesperson on Thursday.
Only it's not. Earlier this year, a US couple found their Alexa had recorded a private conversation and sent it to another person. Back then Amazon called it "an extremely rare occurrence" and blamed it on a one-of a kind string of coincidences where the device interpreted the user's conversation as a series of directions to blurt out what they were saying to a random contact. Better voice recognition is exactly why Amazon claims it needs to store its customers' recordings – but new data breaches cast increasing doubt on the practice.