Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Zappos Breach Renews Calls For Stronger Passwords

Passwords are the go-to security technique for retailers, but businesses must balance password strength and consumer ease of use.

Are Zappos' customers' passwords safe?

On Sunday, Zappos began notifying its customers about a network intrusion that led to the theft of customers' names, addresses, email addresses, and encrypted passwords.

Because the passwords were encrypted, it's unlikely that attackers would be able to immediately decode them all. Even so, Zappos expired all customers' passwords and advised those who had reused the same password on another site to change it there immediately.

Given that warning, what's the risk of Zappos customers having their passwords cracked after the data breach? The answer to that question depends on numerous factors, including the complexity of each password, as well as whether Zappos had both salted and hashed customers' stored passwords.

Based on the Zappos password-reset process, however, Kurt Baumgartner, senior security researcher at Kaspersky Lab, said it's likely that many customers' passwords aren't safe. "When the Zappos team forced their users to reset their passwords ... they enabled their users to provide a minimum of eight-character passwords, including one upper- and lowercase letter and one number or one special character," he said in a blog post.

[What lessons can we learn from the Zappos hack? See Zappos Breach: 8 Lessons Learned.]

"So users' [password] could look like 'Zappos12', and here lies a bigger problem. With 'rainbow tables' that have been circulating as a part of both commercial products and open-source projects discussed at major security conferences for years, this weak password scheme could be quickly cracked offline," he said. Furthermore, as demonstrated by an analysis of the passwords chosen by SonyPictures.com users, many people favor simple--and thus more easily cracked--passwords, which they reuse across sites, no doubt because they must now employ passwords for so many different sites.

It's also not clear just how well-secured the Zappos passwords may have been. Notably, Zappos said that users' passwords had been stored in "cryptographically scrambled" format. "But they need to explain what they meant by 'cryptographically scrambled,'" said Baumgartner. "'Scrambled' is not common security jargon and most likely [was] tossed out by a marketing writer doing their best with the situation."

Accordingly, he said, that raises these questions: "Are they maintaining salted md5's for their password values? How about something stronger--and why not?" Zappos also prevents customers from reusing any of their previous six passwords, he said. But how does it know what those passwords were, and is it possible attackers compromised copies of those historic passwords as well?

A spokeswoman for Zappos said no additional information was available regarding how the company secures users' passwords. Zappos, meanwhile, is still working to notify customers and upgrade its non-U.S. websites to cope with an anticipated surge in website traffic and password resets.

On that front, some customers have expressed frustration with the state of Zappos' customer-notification effort, with some saying that they failed to receive the email warning about the data breach, which included password-reset instructions. Furthermore, the full extent of the breach has yet to become clear, although Zappos is likely still investigating the intrusion and awaiting a detailed digital forensic analysis.

Find out how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates in our Compliance From The Inside Out report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11529
PUBLISHED: 2020-04-04
Common/Grav.php in Grav before 1.6.23 has an Open Redirect.
CVE-2020-11527
PUBLISHED: 2020-04-04
In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files.
CVE-2020-11528
PUBLISHED: 2020-04-04
bit2spr 1992-06-07 has a stack-based buffer overflow (129-byte write) in conv_bitmap in bit2spr.c via a long line in a bitmap file.
CVE-2020-11518
PUBLISHED: 2020-04-04
Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution.
CVE-2020-5347
PUBLISHED: 2020-04-04
Dell EMC Isilon OneFS versions 8.2.2 and earlier contain a denial of service vulnerability. SmartConnect had an error condition that may be triggered to loop, using CPU and potentially preventing other SmartConnect DNS responses.