Zappos Breach Renews Calls For Stronger Passwords

Passwords are the go-to security technique for retailers, but businesses must balance password strength and consumer ease of use.

Are Zappos customers passwords safe?
On Sunday, Zappos began
notifying its customers
about a
network intrusion
that led to the theft of customers names, addresses, email addresses, and encrypted passwords.
Because the passwords were encrypted, its unlikely that attackers would be able to immediately decode them all. Even so, Zappos expired all customers passwords and advised those who had reused the same password on another site to change it there immediately.
Given that warning, whats the risk of Zappos customers having their passwords cracked after the data breach? The answer to that question depends on numerous factors, including the complexity of each password, as well as whether Zappos had both salted and hashed customers stored passwords.
Based on the Zappos password-reset process, however, Kurt Baumgartner, senior security researcher at Kaspersky Lab, said its likely that many customers passwords arent safe. When the Zappos team forced their users to reset their passwords ... they enabled their users to provide a minimum of eight-character passwords, including one upper- and lowercase letter and one number or one special character, he said in a
blog post
.
[What lessons can we learn from the Zappos hack? See
Zappos Breach: 8 Lessons Learned
.]
So users [password] could look like Zappos12, and here lies a bigger problem. With
rainbow tables
that have been circulating as a part of both commercial products and open-source projects discussed at major security conferences for years, this weak password scheme could be quickly cracked offline, he said. Furthermore, as demonstrated by an analysis of the passwords chosen by SonyPictures.com users, many people favor simple--and thus more easily cracked--passwords, which they
reuse across sites
, no doubt because they must now employ passwords for so many different sites.
Its also not clear just how well-secured the Zappos passwords may have been. Notably, Zappos said that users passwords had been stored in cryptographically scrambled format. But they need to explain what they meant by cryptographically scrambled, said Baumgartner. Scrambled is not common security jargon and most likely [was] tossed out by a marketing writer doing their best with the situation.
Accordingly, he said, that raises these questions: Are they maintaining salted md5s for their password values? How about something stronger--and why not? Zappos also prevents customers from reusing any of their previous six passwords, he said. But how does it know what those passwords were, and is it possible attackers compromised copies of those historic passwords as well?
A spokeswoman for Zappos said no additional information was available regarding how the company secures users passwords. Zappos, meanwhile, is still working to notify customers and upgrade its non-U.S. websites to cope with an anticipated surge in website traffic and password resets.
On that front, some customers have expressed frustration with the
state of Zappos customer-notification effort
, with some saying that they failed to receive the email warning about the data breach, which included password-reset instructions. Furthermore, the full extent of the breach has yet to become clear, although Zappos is likely still investigating the intrusion and awaiting a detailed
digital forensic analysis
.
Find out how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates in our
Compliance From The Inside Out
report. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Zappos Breach Renews Calls For Stronger Passwords