Attacks/Breaches
1/17/2012
10:27 AM
Connect Directly
RSS
E-Mail
50%
50%

Zappos Hack Exposes Passwords

Zappos tells 24 million customers to change passwords; special password-reset website was unavailable to non-U.S. customers.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Online shoe and clothing retailer Zappos, which is owned by Amazon.com, began emailing its 24 million customers Sunday, advising them that its site had been hacked, and some customers' personal details and account information likely stolen. But Zappos said that no credit or debit card information had been accessed by attackers.

"We were recently the victim of a cyberattack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with law enforcement to undergo an exhaustive investigation," said Zappos CEO Tony Hsieh in an email that was sent to all Zappos employees Sunday, shortly before the company sent an email to its customers, warning them about the breach.

The stolen data, said Hsieh, may have included each customer's name, email address, billing and shipping address, the last four digits of their credit card number, and a "cryptographically scrambled" version of their website password. Such encryption, however, might not prevent attackers from eventually recovering passwords. Likewise, any customers who reused their Zappos password on another website that had suffered a breach would be at risk from attackers using that password to access their Zappos account.

[ Be more secure in the coming year. Read 10 Security Trends To Watch In 2012. ]

Accordingly, Zappos has expired all customers' passwords, and directed customers to reset their passwords via a dedicated password-reset page. Tuesday, however, customers located outside of the United States were unable to access either the Zappos website or the password-reset feature, and instead received a message saying that Zappos was working to resolve "a few technical issues."

Those technical issues involve preparing the systems to handle an anticipated surge in website traffic. "As a result of preparing their systems for the volume of emails and customers changing their passwords, they are undergoing some system updates and they hope to open up to non-U.S. users soon," said Zappos spokeswoman Diane Coffey of PR agency Kel & Partners, via email.

Despite Zappos' data breach notification to consumers, the company hasn't yet answered several key questions, such as detailing when the data breach occurred, the length of time for which attackers may have had access to its systems, or how the breach was finally detected. Zappos also hasn't indicated whether it will offer identity theft monitoring services to affected customers.

In the wake of the breach, Hsieh told employees that Zappos would be temporarily suspending all phone-based customer support, handling customers' questions solely via email, and training large number of current employees to help. "Due to the volume of inquiries we are expecting, we realized that we could serve the most customers by answering their questions by email," he said. "We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren't capable of handling so much volume."

That move was likely astute. Last year, for example, after Texas authorities set up a toll-free number and call center to handle inquiries relating to a data breach that exposed 3.5 million records of Texas residents, the call center--which could handle only 19,000 calls per day--was quickly overwhelmed.

What's the risk to Zappos customers from the data breach? On its own, the information exposed in the breach likely doesn't pose a large risk. Still, security and data breach experts have warned that anytime collections of personal data go missing, it can provide a goldmine for social engineering attackers, for example if the data gets used to make spear-phishing emails look more authentic.

In its email to customers, Zappos also warned them to beware future email or telephone scams that might attempt to use the data breach to trick users into divulging their personal details. "As always, please remember that Zappos.com will never ask you for personal or account information in an email," it said.

Heightened concern that users could inadvertently expose or leak--or purposely steal--an organization's sensitive data has spurred debate over the proper technology and training to protect the crown jewels. An Insider Threat Reality Check, a special retrospective of recent news coverage, takes a look at how organizations are handling the threat--and what users are really up to. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
1/18/2012 | 1:12:55 AM
re: Zappos Hack Exposes Passwords
@ Guest - I don't know if the accounts are linked or not, but if they are or you use the same username and password for both then I would change the Amazon password as well to be safe.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Guest
50%
50%
Guest,
User Rank: Apprentice
1/17/2012 | 5:10:32 PM
re: Zappos Hack Exposes Passwords
Any chance the your Amazon account could also be at risk?
Michael Martin-Smucker
50%
50%
Michael Martin-Smucker,
User Rank: Apprentice
1/17/2012 | 4:32:38 PM
re: Zappos Hack Exposes Passwords
Consider me troll'd. I clicked on the link to this article just so I could complain about how the headline is click-bait. Exposing hashed (and hopefully salted) passwords is very different than exposing passwords. Obviously you know that because you mention it in the article, but this fact was conveniently ignored in favor of a more dramatic headline.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.