About 3 weeks ago, I sent a preliminary copy of the CookieMonster tool to an Amazon employee who requested it after I announced they were vulnerable, and that it was available for testing/proof. I was glad he contacted me, because I was having a really hard time contacting their security team (all their security pages are FAQs on phishing, and their security alias returns a bounce saying not to trust any mail that comes from it!).
He didn't mention anything in specific or even claim to officially represent Amazon, but we did exchange a couple emails, and he seemed legitimately interested in the tool. Then, about a week or so ago, I received word via a friend of a friend that an Amazon employee had gotten some heat for requesting the tool. Since there was only one Amazon employee who bothered responding or requesting the tool at all, I decided to send him an updated copy and wish him luck on whatever happened. To my great surprise, the email bounced with a "no such user" error. The address certainly was valid when I sent him the first copy, so I'm not sure what this means. I suppose it could be coincidence: the employee could have just quit, but I suspect something fishy is going on..