[saltysugar]

Amazon employee here, but the statement I'm making is of my own.

Internally we treat customer names and email addresses as the second highest data classification. The highest one is credit card/financial/password data.

What does it mean? It means that there are a bunch of requirements that a software team must fulfill and pass (reviewed by an SDE trained in the process outside the team). This makes accessing this sort of data a PITA for a lot of people, and I can see why they why they would send out notifications when a breach like this happen. Amazon takes security very seriously, and it in fact creates quite a bit of friction to many engineers. However, I'd rather than than the break things and ask for forgiveness model like some other companies (not going to name names here)

[ben509]

I can confirm that names and email addresses are classified as saltysugar states, and the security reviews. So they do have to pass all those requirements for secure storage and transmission, but then names and emails are made visible by default through mechanisms like reviews, profile, wishlists, and that passes the review because it is the user's choice.

I don't even think this is anything nefarious by Amazon. It's more that teams dedicated to security issues consider it out of their lane to deal with conflicts between the designed UX and actual user expectations; especially for privacy issues where even asking the person isn't a reliable way to understand what they want.

[pluma]

> saltysugar

Can you elaborate? I've never heard this phrase before and google results aren't very helpful.

[curiousfab]

It's not a policy, it's the username of the parent's poster.

[ben509]

LOL, now I realize the wisdom of not referring to people by usernames... "saltysugar states" sounds completely plausible.