Zappos Hack Exposes Passwords

Zappos tells 24 million customers to change passwords; special password-reset website was unavailable to non-U.S. customers.

(click image for larger view)
Slideshow: 10 Massive Security Breaches
Online shoe and clothing retailer Zappos, which is owned by Amazon.com, began emailing its 24 million customers Sunday, advising them that its site had been hacked, and some customers personal details and account information likely stolen. But Zappos said that no credit or debit card information had been accessed by attackers.
We were recently the victim of a cyberattack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with law enforcement to undergo an exhaustive investigation, said Zappos CEO Tony Hsieh in an
email that was sent to all Zappos employees
Sunday, shortly before the company sent an email to its customers, warning them about the breach.
The stolen data, said Hsieh, may have included each customers name, email address, billing and shipping address, the last four digits of their credit card number, and a cryptographically scrambled version of their website password. Such encryption, however, might not prevent attackers from eventually recovering passwords. Likewise, any customers who
reused their Zappos password
on another website that had
suffered a breach
would be at risk from attackers using that password to access their Zappos account.
[ Be more secure in the coming year. Read
10 Security Trends To Watch In 2012
. ]
Accordingly, Zappos has expired all customers passwords, and directed customers to reset their passwords via a dedicated
password-reset page
. Tuesday, however, customers located outside of the United States were unable to access either the Zappos website or the password-reset feature, and instead received a message saying that Zappos was working to resolve a few technical issues.
Those technical issues involve preparing the systems to handle an anticipated surge in website traffic. As a result of preparing their systems for the volume of emails and customers changing their passwords, they are undergoing some system updates and they hope to open up to non-U.S. users soon, said Zappos spokeswoman Diane Coffey of PR agency Kel & Partners, via email.
Despite Zappos data breach notification to consumers, the company hasnt yet answered several key questions, such as detailing when the
data breach
occurred, the length of time for which attackers may have had access to its systems, or how the breach was finally detected. Zappos also hasnt indicated whether it will offer
identity theft monitoring services
to affected customers.
In the wake of the breach, Hsieh told employees that Zappos would be temporarily suspending all phone-based customer support, handling customers questions solely via email, and training large number of current employees to help. Due to the volume of inquiries we are expecting, we realized that we could serve the most customers by answering their questions by email, he said. We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply arent capable of handling so much volume.
That move was likely astute. Last year, for example, after Texas authorities set up a toll-free number and call center to handle inquiries relating to a
data breach that exposed 3.5 million records
of Texas residents, the call center--which could handle only 19,000 calls per day--was quickly overwhelmed.
Whats the risk to Zappos customers from the data breach? On its own, the information exposed in the breach likely doesnt pose a large risk. Still, security and data breach experts have warned that anytime collections of personal data go missing, it can provide a
goldmine for social engineering attackers
, for example if the data gets used to make
spear-phishing emails
look more authentic.
In its email to customers, Zappos also warned them to beware future email or telephone scams that might attempt to use the data breach to trick users into divulging their personal details. As always, please remember that Zappos.com will never ask you for personal or account information in an email, it said.
Heightened concern that users could inadvertently expose or leak--or purposely steal--an organizations sensitive data has spurred debate over the proper technology and training to protect the crown jewels.
An Insider Threat Reality Check
, a special retrospective of recent news coverage, takes a look at how organizations are handling the threat--and what users are really up to. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Zappos Hack Exposes Passwords