Attacks/Breaches
1/17/2012
10:27 AM
50%
50%

Zappos Hack Exposes Passwords

Zappos tells 24 million customers to change passwords; special password-reset website was unavailable to non-U.S. customers.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Online shoe and clothing retailer Zappos, which is owned by Amazon.com, began emailing its 24 million customers Sunday, advising them that its site had been hacked, and some customers' personal details and account information likely stolen. But Zappos said that no credit or debit card information had been accessed by attackers.

"We were recently the victim of a cyberattack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with law enforcement to undergo an exhaustive investigation," said Zappos CEO Tony Hsieh in an email that was sent to all Zappos employees Sunday, shortly before the company sent an email to its customers, warning them about the breach.

The stolen data, said Hsieh, may have included each customer's name, email address, billing and shipping address, the last four digits of their credit card number, and a "cryptographically scrambled" version of their website password. Such encryption, however, might not prevent attackers from eventually recovering passwords. Likewise, any customers who reused their Zappos password on another website that had suffered a breach would be at risk from attackers using that password to access their Zappos account.

[ Be more secure in the coming year. Read 10 Security Trends To Watch In 2012. ]

Accordingly, Zappos has expired all customers' passwords, and directed customers to reset their passwords via a dedicated password-reset page. Tuesday, however, customers located outside of the United States were unable to access either the Zappos website or the password-reset feature, and instead received a message saying that Zappos was working to resolve "a few technical issues."

Those technical issues involve preparing the systems to handle an anticipated surge in website traffic. "As a result of preparing their systems for the volume of emails and customers changing their passwords, they are undergoing some system updates and they hope to open up to non-U.S. users soon," said Zappos spokeswoman Diane Coffey of PR agency Kel & Partners, via email.

Despite Zappos' data breach notification to consumers, the company hasn't yet answered several key questions, such as detailing when the data breach occurred, the length of time for which attackers may have had access to its systems, or how the breach was finally detected. Zappos also hasn't indicated whether it will offer identity theft monitoring services to affected customers.

In the wake of the breach, Hsieh told employees that Zappos would be temporarily suspending all phone-based customer support, handling customers' questions solely via email, and training large number of current employees to help. "Due to the volume of inquiries we are expecting, we realized that we could serve the most customers by answering their questions by email," he said. "We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren't capable of handling so much volume."

That move was likely astute. Last year, for example, after Texas authorities set up a toll-free number and call center to handle inquiries relating to a data breach that exposed 3.5 million records of Texas residents, the call center--which could handle only 19,000 calls per day--was quickly overwhelmed.

What's the risk to Zappos customers from the data breach? On its own, the information exposed in the breach likely doesn't pose a large risk. Still, security and data breach experts have warned that anytime collections of personal data go missing, it can provide a goldmine for social engineering attackers, for example if the data gets used to make spear-phishing emails look more authentic.

In its email to customers, Zappos also warned them to beware future email or telephone scams that might attempt to use the data breach to trick users into divulging their personal details. "As always, please remember that Zappos.com will never ask you for personal or account information in an email," it said.

Heightened concern that users could inadvertently expose or leak--or purposely steal--an organization's sensitive data has spurred debate over the proper technology and training to protect the crown jewels. An Insider Threat Reality Check, a special retrospective of recent news coverage, takes a look at how organizations are handling the threat--and what users are really up to. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
1/18/2012 | 1:12:55 AM
re: Zappos Hack Exposes Passwords
@ Guest - I don't know if the accounts are linked or not, but if they are or you use the same username and password for both then I would change the Amazon password as well to be safe.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Guest
50%
50%
Guest,
User Rank: Apprentice
1/17/2012 | 5:10:32 PM
re: Zappos Hack Exposes Passwords
Any chance the your Amazon account could also be at risk?
Michael Martin-Smucker
50%
50%
Michael Martin-Smucker,
User Rank: Apprentice
1/17/2012 | 4:32:38 PM
re: Zappos Hack Exposes Passwords
Consider me troll'd. I clicked on the link to this article just so I could complain about how the headline is click-bait. Exposing hashed (and hopefully salted) passwords is very different than exposing passwords. Obviously you know that because you mention it in the article, but this fact was conveniently ignored in favor of a more dramatic headline.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7421
Published: 2015-03-02
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability than CVE-2014-9644.

CVE-2014-8160
Published: 2015-03-02
net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allows remote attackers to bypass intended access restrictions via packets with disall...

CVE-2014-9644
Published: 2015-03-02
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-201...

CVE-2015-0239
Published: 2015-03-02
The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel before 3.18.5, when the guest OS lacks SYSENTER MSR initialization, allows guest OS users to gain guest OS privileges or cause a denial of service (guest OS crash) by triggering use of a 16-bit code segment for emulation of a SYS...

CVE-2014-8921
Published: 2015-03-01
The IBM Notes Traveler Companion application 1.0 and 1.1 before 201411010515 for Window Phone, as distributed in IBM Notes Traveler 9.0.1, does not properly restrict the number of executions of the automatic configuration option, which makes it easier for remote attackers to capture credentials by c...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.