Zappos data breach, 24M users exposed

Pierluigi Paganini January 16, 2012

In this hours is circulating in internet the news regarding a new clamorous hack that this time has hit the online retailer Zappos.com, a division of Amazon.
According the official announcement of the company it was victim of a cyber attack that gained access to its internal network exposing sensible information. Seems to be that the records of 24 million of its users and related data have been exposed.


The info compromised for each user are names, email addresses, the last four digits of customer’s social security number.
At the moment Zappos is exluding the any sensitive billing (e.g. credit card numbers) has been exposed. The was not accessed by hackers in the course of the breach, and that they are currently working with an investigation by law enforcement. Investigations are underway to understand the nature of the incident and the amount of the information stolen. There were no reports on the matrix of the attack , and the assumptions most probabily regarding the responsible are for criminal associations that would use the stolen information to phishing attacks or hacktivist groups that are distinguishing themselves in this period for this type of protest actions.

There were no reports on the matrix of the attack , and the assumptions most probabily regarding the responsible are for criminal associations that would use the stolen information to phishing attacks or hacktivist groups that are distinguishing themselves in this period for this type of protest actions. Zappos has launched a massive information campaign alerting its customers about the real risks they face because of the attack immediately instructing them on how to behave.

It ‘a bad habit to use the same password for a wide range of services, from email account to other services like online banking and e-commerce.
This behaviour expose the final customer to high risk to be victim of other frauds.

Who’s next?

Pierluigi Paganini

 

Following the email published on official web site and sent to all the customers.

Here is the email that our customers will be receiving:

First, the bad news:

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

THE BETTER NEWS:

The database that stores your critical credit card and other payment data was NOT affected or accessed.

SECURITY PRECAUTIONS:

For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password.

We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.

PLEASE CREATE A NEW PASSWORD:

We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the “Create a New Password” link in the upper right corner of the web site and follow the steps from there.

We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at [email protected].

—————————————————————————-

We have also created a web page that we will continue to update as we learn more about what questions customers have:

http://www.zappos.com/passwordchange

In order to service as many customer inquiries as possible, we will be asking all employees at our headquarters, regardless of department, to help with assisting customers. Due to the volume of inquiries we are expecting, we realized that we could serve the most customers by answering their questions by email. We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren’t capable of handling so much volume. (If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place.)

We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident. I suppose the one saving grace is that the database that stores our customers’ critical credit card and other payment data was not affected or accessed.

Over the next day or so, we will be training everyone on the specifics of how to best help our customers through their password change process now that their passwords have been reset and expired. We need all hands on deck to help get through this.

Thanks everyone.

-Tony Hsieh
CEO – Zappos.com



you might also like

leave a comment