Affiliate links on Android Authority may earn us a commission.Learn more.
An Alexa flaw might have exposed your voice history to hackers (Updated)
August 07, 2025
Update: July 02, 2025 (01:58PM ET): Amazon reached out toAndroid Authorityregarding the Alexa vulnerabilities mentioned in the original article below. Here’s what the company had to say:
We’ve also made clear in our original article that as per Amazon, all banking information is redacted in Alexa’s responses. Read on to know more about the issue and how it may have affected Alexa users.
Original article: July 14, 2025 (9:14AM ET): Hackers might have heard everything you’ve ever said to yourAmazon Alexadevice. That is if you clicked on a malicious link targeting your Alexa account.
Newfindingsby Check Point Research reveal that Alexa’s web services had flaws that hackers could have exploited to gain access to a user’s voice history and personal information. If you were a victim of this hack, everything you’ve ever said to Alexa or everything it’s heard could be the property of a hacker right now. The vulnerability could have also exposed information such as your home address and banking details (more on that later).
Related:Is selling your privacy for a cheaper phone really a good idea?
“Amazon does not record your banking login credentials, but your interactions are recorded, and since we have access to the chat history, we can access the victim’s interaction with the bank skill and get their data history,” Check Point researchers wrote in the blog post detailing the threat.
Moreover, the vulnerabilities could have also allowed a hacker to remove a commonly used skill and replace it with a malicious skill on the targeted victim’s Alexa account.
How does the Alexa hack work?
A successful hack would require the target to click on an unassuming link that looks like a regular Amazon package tracking link. Check Point reports that hackers could have exploited flaws in Amazon and Alexa’s subdomains to create such malicious links.
Once clicked, the link would redirect the target to a page injected with malicious code. The attacker would then sends a special request to Alexa’s skills store and fool it into believing that a legitimate user is trying to access it. Once the attacker is in, they could start deleting or installing skills, or access the target’s Alexa voice history.
What does Amazon have to say?
The good news is that Amazon has already patched the flaws. However, hackers could have been exploiting them before they were found. It’s difficult to tell how many users have been impacted.
“We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed,” An Amazon spokesperson toldWired.
Amazon has also denied that any banking information was exposed. The company toldWiredthat all banking information is redacted in Alexa’s responses.
What can you do?
The incident is a reminder of how careful we need to be around our smart devices. Voice assistants are notorious for being vulnerable to malicious actors. Last year, researchers managed totrickboth Alexa and Google Assistant into eavesdropping on users and voice-phishing for their passwords. We’ve also seen how hackerscan take controlof Siri, Alexa, and Google Assistant smart speakers using laser beams.
Needless to say, you have to be very careful about what you say to your smart speakers and voice assistants. Most smart devices come with a kill switch to stop them from listening to conversations. We suggest you use that switch generously. You should also regularlydelete your conversations with Alexaandother digital assistantsso that these types of hacks don’t affect you.
Other than that, be extra cautious about the links you click on, change your passwords regularly, and limit confidential interactions with smart devices in general.
Also read:Alexagate is a gloriously unnecessary tool to stop Amazon Echo from listening
Thank you for being part of our community. Read ourComment Policybefore posting.
