Attacks/Breaches
1/17/2012
10:27 AM
50%
50%

Zappos Hack Exposes Passwords

Zappos tells 24 million customers to change passwords; special password-reset website was unavailable to non-U.S. customers.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Online shoe and clothing retailer Zappos, which is owned by Amazon.com, began emailing its 24 million customers Sunday, advising them that its site had been hacked, and some customers' personal details and account information likely stolen. But Zappos said that no credit or debit card information had been accessed by attackers.

"We were recently the victim of a cyberattack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with law enforcement to undergo an exhaustive investigation," said Zappos CEO Tony Hsieh in an email that was sent to all Zappos employees Sunday, shortly before the company sent an email to its customers, warning them about the breach.

The stolen data, said Hsieh, may have included each customer's name, email address, billing and shipping address, the last four digits of their credit card number, and a "cryptographically scrambled" version of their website password. Such encryption, however, might not prevent attackers from eventually recovering passwords. Likewise, any customers who reused their Zappos password on another website that had suffered a breach would be at risk from attackers using that password to access their Zappos account.

[ Be more secure in the coming year. Read 10 Security Trends To Watch In 2012. ]

Accordingly, Zappos has expired all customers' passwords, and directed customers to reset their passwords via a dedicated password-reset page. Tuesday, however, customers located outside of the United States were unable to access either the Zappos website or the password-reset feature, and instead received a message saying that Zappos was working to resolve "a few technical issues."

Those technical issues involve preparing the systems to handle an anticipated surge in website traffic. "As a result of preparing their systems for the volume of emails and customers changing their passwords, they are undergoing some system updates and they hope to open up to non-U.S. users soon," said Zappos spokeswoman Diane Coffey of PR agency Kel & Partners, via email.

Despite Zappos' data breach notification to consumers, the company hasn't yet answered several key questions, such as detailing when the data breach occurred, the length of time for which attackers may have had access to its systems, or how the breach was finally detected. Zappos also hasn't indicated whether it will offer identity theft monitoring services to affected customers.

In the wake of the breach, Hsieh told employees that Zappos would be temporarily suspending all phone-based customer support, handling customers' questions solely via email, and training large number of current employees to help. "Due to the volume of inquiries we are expecting, we realized that we could serve the most customers by answering their questions by email," he said. "We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren't capable of handling so much volume."

That move was likely astute. Last year, for example, after Texas authorities set up a toll-free number and call center to handle inquiries relating to a data breach that exposed 3.5 million records of Texas residents, the call center--which could handle only 19,000 calls per day--was quickly overwhelmed.

What's the risk to Zappos customers from the data breach? On its own, the information exposed in the breach likely doesn't pose a large risk. Still, security and data breach experts have warned that anytime collections of personal data go missing, it can provide a goldmine for social engineering attackers, for example if the data gets used to make spear-phishing emails look more authentic.

In its email to customers, Zappos also warned them to beware future email or telephone scams that might attempt to use the data breach to trick users into divulging their personal details. "As always, please remember that Zappos.com will never ask you for personal or account information in an email," it said.

Heightened concern that users could inadvertently expose or leak--or purposely steal--an organization's sensitive data has spurred debate over the proper technology and training to protect the crown jewels. An Insider Threat Reality Check, a special retrospective of recent news coverage, takes a look at how organizations are handling the threat--and what users are really up to. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
1/18/2012 | 1:12:55 AM
re: Zappos Hack Exposes Passwords
@ Guest - I don't know if the accounts are linked or not, but if they are or you use the same username and password for both then I would change the Amazon password as well to be safe.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Guest
50%
50%
Guest,
User Rank: Apprentice
1/17/2012 | 5:10:32 PM
re: Zappos Hack Exposes Passwords
Any chance the your Amazon account could also be at risk?
Michael Martin-Smucker
50%
50%
Michael Martin-Smucker,
User Rank: Apprentice
1/17/2012 | 4:32:38 PM
re: Zappos Hack Exposes Passwords
Consider me troll'd. I clicked on the link to this article just so I could complain about how the headline is click-bait. Exposing hashed (and hopefully salted) passwords is very different than exposing passwords. Obviously you know that because you mention it in the article, but this fact was conveniently ignored in favor of a more dramatic headline.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.