Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Zappos Hack Exposes Passwords

Zappos tells 24 million customers to change passwords; special password-reset website was unavailable to non-U.S. customers.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Online shoe and clothing retailer Zappos, which is owned by Amazon.com, began emailing its 24 million customers Sunday, advising them that its site had been hacked, and some customers' personal details and account information likely stolen. But Zappos said that no credit or debit card information had been accessed by attackers.

"We were recently the victim of a cyberattack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with law enforcement to undergo an exhaustive investigation," said Zappos CEO Tony Hsieh in an email that was sent to all Zappos employees Sunday, shortly before the company sent an email to its customers, warning them about the breach.

The stolen data, said Hsieh, may have included each customer's name, email address, billing and shipping address, the last four digits of their credit card number, and a "cryptographically scrambled" version of their website password. Such encryption, however, might not prevent attackers from eventually recovering passwords. Likewise, any customers who reused their Zappos password on another website that had suffered a breach would be at risk from attackers using that password to access their Zappos account.

[ Be more secure in the coming year. Read 10 Security Trends To Watch In 2012. ]

Accordingly, Zappos has expired all customers' passwords, and directed customers to reset their passwords via a dedicated password-reset page. Tuesday, however, customers located outside of the United States were unable to access either the Zappos website or the password-reset feature, and instead received a message saying that Zappos was working to resolve "a few technical issues."

Those technical issues involve preparing the systems to handle an anticipated surge in website traffic. "As a result of preparing their systems for the volume of emails and customers changing their passwords, they are undergoing some system updates and they hope to open up to non-U.S. users soon," said Zappos spokeswoman Diane Coffey of PR agency Kel & Partners, via email.

Despite Zappos' data breach notification to consumers, the company hasn't yet answered several key questions, such as detailing when the data breach occurred, the length of time for which attackers may have had access to its systems, or how the breach was finally detected. Zappos also hasn't indicated whether it will offer identity theft monitoring services to affected customers.

In the wake of the breach, Hsieh told employees that Zappos would be temporarily suspending all phone-based customer support, handling customers' questions solely via email, and training large number of current employees to help. "Due to the volume of inquiries we are expecting, we realized that we could serve the most customers by answering their questions by email," he said. "We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren't capable of handling so much volume."

That move was likely astute. Last year, for example, after Texas authorities set up a toll-free number and call center to handle inquiries relating to a data breach that exposed 3.5 million records of Texas residents, the call center--which could handle only 19,000 calls per day--was quickly overwhelmed.

What's the risk to Zappos customers from the data breach? On its own, the information exposed in the breach likely doesn't pose a large risk. Still, security and data breach experts have warned that anytime collections of personal data go missing, it can provide a goldmine for social engineering attackers, for example if the data gets used to make spear-phishing emails look more authentic.

In its email to customers, Zappos also warned them to beware future email or telephone scams that might attempt to use the data breach to trick users into divulging their personal details. "As always, please remember that Zappos.com will never ask you for personal or account information in an email," it said.

Heightened concern that users could inadvertently expose or leak--or purposely steal--an organization's sensitive data has spurred debate over the proper technology and training to protect the crown jewels. An Insider Threat Reality Check, a special retrospective of recent news coverage, takes a look at how organizations are handling the threat--and what users are really up to. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Michael Martin-Smucker
50%
50%
Michael Martin-Smucker,
User Rank: Apprentice
1/17/2012 | 4:32:38 PM
re: Zappos Hack Exposes Passwords
Consider me troll'd. I clicked on the link to this article just so I could complain about how the headline is click-bait. Exposing hashed (and hopefully salted) passwords is very different than exposing passwords. Obviously you know that because you mention it in the article, but this fact was conveniently ignored in favor of a more dramatic headline.
Guest
50%
50%
Guest,
User Rank: Apprentice
1/17/2012 | 5:10:32 PM
re: Zappos Hack Exposes Passwords
Any chance the your Amazon account could also be at risk?
Bprince
50%
50%
Bprince,
User Rank: Ninja
1/18/2012 | 1:12:55 AM
re: Zappos Hack Exposes Passwords
@ Guest - I don't know if the accounts are linked or not, but if they are or you use the same username and password for both then I would change the Amazon password as well to be safe.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31476
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 10.1.3.37598. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
CVE-2021-31477
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
CVE-2021-32690
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
CVE-2021-32691
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
CVE-2021-32243
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).