Android phone maker Blu Products was dealt a blow when Amazon said it would no longer sell its phones, citing security and privacy issues. The phone maker came under scrutiny last week by researchers at Kryptowire during a Black Hat session where they criticized the company for collecting personal identifiable information without user consent.

“Because security and privacy of our customers is of the utmost importance, all Blu phone models have been made unavailable for purchase on Amazon.com until the issue is resolved,” Amazon said. Blu Product phones are Amazon’s top unlocked Android phone seller and known for their affordable prices.

A vulnerability in older Amazon Echo devices can be used to make the home assistant relay conversations to eavesdroppers while the owner remains none the wiser. Research by MWR InfoSecurity found it's possible to turn an Amazon Echo into a covert listening device without affecting its overall functionality.

One big limiting factor: the process does involve the attacker being able to gain access to the physical unit, but it's possible to tamper with the Echo without leaving any evidence. The vulnerability comes as a result of two design choices: exposed debug pads on the base of the device and a hardware configuration setting.

On May 24, Chris Vickery, a cyber risk analyst with the security firm UpGuard, discovered a publicly accessible data cache on Amazon Web Services' S3 storage service that contained highly classified intelligence data. The cache was posted to an account linked to defense and intelligence contractor Booz Allen Hamilton.

And the files within were connected to the US National Geospatial-Intelligence Agency (NGA), the US military's provider of battlefield satellite and drone surveillance imagery. Based on domain-registration data tied to the servers linked to the S3 "bucket," the data was apparently tied to Booz Allen and another contractor, Metronome.

Hackers have zeroed in on the growing number of third-party sellers on Amazon Marketplace, reportedly using stolen logins to swipe thousands of dollars from some merchants.

In recent weeks, hackers have ramped up their attacks by taking over dormant accounts and changing the bank account information. They'll then post nonexistent merchandise at bargain prices, make the sell and collect the cash. Buyers can get a refund, but the scam hits sellers hard, since they're on the hook for reimbursing customers who never received their merchandise. Hackers then likely used a method called "credential stuffing."

For decades, grocery stores have dreamed of fully automated technology that would allow them to dispense with cashiers altogether. But self-checkout systems introduced so far have been clunky and wound up just shifting a lot of work from store employees onto the customer.

Amazon introduced a new self-checkout technology that could totally transform the retail sector. Called “Amazon Go,” the technology literally allows people to walk into a store, select items they want to purchase, and walk out. There’s no checkout process at all. Amazon is opening an 1,800-square-foot convenience store in Seattle to test out the technology. 

Malicious advertisements have popped up on websites such as YouTube, Amazon and Yahoo, part of a sophisticated campaign to spread malware, Cisco said Monday.

When encountered, the malicious advertisements cause a person to be redirected to a different website, which triggers a download based on whether the computer is running Windows or Apple’s OS X, wrote Armin Pelkmann, a threat researcher. The network has been nicknamed Kyle and Stan due to those names appearing in subdomains of more than 700 websites the attackers have set up to distribute the malware, Pelkmann wrote.

Security researcher Will Dormann of the US Computer Emergency Response Team (CERT) has reported this week that over 350 apps from the Google Play and Amazon App stores have been compromised due to a flaw that fails to validate certificates over a secure socket layer.

The bug, which opens up many popular mobile applications such as the eBay mobile shopper and the Microsoft Tech Companion to fairly rudimentary man-in-the-middle attacks, has been tracked and logged by the CERT team for only about a week now. But instead of waiting the standard 45-days to silently communicate the problem to the affected companies in order to give them a chance to get out in front of the issue with appropriate patches.

Attackers are exploiting a vulnerability in distributed search engine software Elasticsearch to install DDoS malware on Amazon and possibly other cloud servers.

Elasticsearch is an increasingly popular open-source search engine server developed in Java that allows applications to perform full-text search for various types of documents through a REST API (representational state transfer application programming interface). Because it has a distributed architecture that allows for multiple nodes, Elasticsearch is commonly used in cloud environments. It can be deployed on Amazon Elastic Compute Cloud (EC2), Microsoft Azure, Google Compute Engine and other cloud platforms.