More

Zappos Reports Security Breach, Advises Customers To Change Passwords

Zappos Hacked

The Huffington Post   First Posted: 01/16/12 11:08 AM ET Updated: 01/17/12 05:57 AM ET

Inspiring
 Funny
 Obsolete
 Scary
 Must-Have
 Amazing
 Innovative
 Nerdy

The online retailer Zappos has notified customers that some of their account information may have been accessed by hackers who breached the company's computer system.

In a letter posted to its website, Zappos chief executive Tony Hsieh said the company was "recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky." Hsieh said the company was cooperating with an investigation by law enforcement.

In an email sent to the company's more than 24 million customers, Zappos said:

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

The e-mail said the database that stores customers' credit card and other payment data was not affected.

Zappos said customers should reset their passwords on Zappos.com and any other website where they use a similar password. The company also warned customers that hackers may use their information to trick them into revealing more sensitive data.

"Please remember that Zappos.com will never ask you for personal or account information in an e-mail," the e-mail said. "Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information."

Founded in 1999, Zappos is the largest seller of shoes online, generating a loyal customer base with its large selection and its policy of offering free shipping and returns. The company, based in Henderson, Nev., was sold to Amazon.com in 2009 for about $850 million.

Related on HuffPost:

FOLLOW HUFFPOST TECH

The online retailer Zappos has notified customers that some of their account information may have been accessed by hackers who breached the company's computer system. In a letter posted to its webs...
The online retailer Zappos has notified customers that some of their account information may have been accessed by hackers who breached the company's computer system. In a letter posted to its webs...

More in Technology...


 
 
  • Comments
  • 42
  • Pending Comments
  • 0
  • View FAQ
Post Comment Preview Comment
To reply to a Comment: Click "Reply" at the bottom of the comment; after being approved your comment will appear directly underneath the comment you replied to.
View All
Favorites
Recency  | 
Popularity
Page: 1 2  Next ›  Last »  (2 total)
photo
Jay Gould
413 Fans
 
04:43 PM on 01/17/2012
Zappos is giving everyone a lesson on managing a data breach that everyone who may ever have to deal with the problem should look to for guidance. There is a lot to be learned. People understand that such things happen and, unless you've been egregiously lax in protecting their account information, will give you the benefit of the doubt. How you respond to the crisis will be what determines whether or not the issue is resolved with minimal damage or it deteriorates into a PR disaster.

As I said, Zappos is giving us a real-time lesson on how to do crisis management properly and we should all be taking notes. For a more detailed analysis: http://blog.unibulmerchantservices.com/zappos-is-giving-us-a-lesson-on-managing-a-data-breach
Permalink  |
ashleyhalstead
0 Fans
06:25 AM on 01/17/2012
Seo Telecommunication

Thanks for showing up such fabulous information. I like this post, keep writing and give informative post...!

Seo Telecommunication
Permalink  |
This user has chosen to opt out of the Badges program
photo
konspikuous
328 Fans
11:34 PM on 01/16/2012
What sort of name is Zappos anyway? Was it invented to be witty?
Permalink  |
photo
HUFFPOST SUPER USER
MikeyJaii
Socialism.
185 Fans
 
09:56 PM on 01/16/2012
Zappos products not so great anyways..
Permalink  |
photo
HUFFPOST SUPER USER
xcuzemebut
capitalism needs soCIALISm to stay sexy.
487 Fans
 
04:36 PM on 01/16/2012
I will not be surprised if Marcus Bachmann is behind Zappos hack. Boomer never stops wanting new accessories.
Permalink  |
photo
HUFFPOST SUPER USER
wilray
50,000 Screaming Fans (Ignore that other number)
782 Fans
03:05 PM on 01/16/2012
Another thing that you should consider is getting alerts fro your CC and Debit cards, if your issuer offers the service. Basically, anytime your card is used an email will be sent to you. Getting an email when you have not done a purchase will alert you in a timely way that there is a problem. Of course, you will also have to remember to account for any automatic payments or online subscriptions, especially when the billing name used for such services differs from their usual name.
Permalink  |
photo
dukeofurl01
Information Systems Analyst & GIS Technician
26 Fans
03:40 AM on 01/17/2012
My bank (Wells Fargo) offers that, but it's done in their overnight batch processing, not instantaneous like I know they are capable of and what I'd like. I have it enabled, but if it's not instant, it's not very useful.
Permalink  |
photo
HUFFPOST SUPER USER
wilray
50,000 Screaming Fans (Ignore that other number)
782 Fans
04:28 AM on 01/17/2012
That's the beauty of Paypal's debit card. You can have it email you as soon as a transaction is done. If you are using a debit card you should be aware that they are treated differently than credit. One way is the window for reporting that you are given when they are lost or stolen. Although WellsFargo is not instantaneous, it could help you stay within that window. I believe the window for 100% reimbursements for debit cards is 2 days. Notify them within two days of a theft and you are 100% covered. Unlike credit cards all the funds may not be available until the matter is sorted out.

WellsFargo e-receipts for their ATM transactions is done immediately.
Permalink  |
photo
HUFFPOST SUPER USER
ReignSupreme
26 Fans
02:55 PM on 01/16/2012
Don't worry. All the people are going to get is junk spam mail from Facebook and Starbucks that begins with OMG that directs you to click on a link that's included. Hope they're not dumb enough to click on the link though.
Permalink  |
photo
DaveShoe
8 Fans
02:44 PM on 01/16/2012
There was no indication of how well encrypted (excuse me - cryptographically scrambled) the stolen passwords were. If encryption was weak, Zappos should also offer the warning that if the Zappos password is used with any other accounts, such as paypal, ebay, wellsfargo, amazon, etc, then you can expect the hackers will attempt combining the stolen email address and de-encrypted password with other popular internet sites in the hopes the customer repeatedly used the same password in many accounts.
Permalink  |
photo
HUFFPOST SUPER USER
PartisanLove
doh
214 Fans
04:55 PM on 01/16/2012
uh oh, good point
Permalink  |
photo
HUFFPOST SUPER USER
GirlInNYC
A girl in NYC
293 Fans
 
10:51 PM on 01/16/2012
Saw the story on the news where the anchor said that they're urging people to not use the password used for Zappos on any other accounts.
Permalink  |
uhaveGOT2bekidding
6 Fans
02:35 PM on 01/16/2012
That sucks. I'm trying to order a pair of shoes that I've been waiting for Zappos to get back in stock. Can't log in and I've tried resetting the password. No email, just a notice when I try to check out.
Permalink  |
photo
Roxy Pinson
26 Fans
01:24 PM on 01/16/2012
Now when I enter my email it tells me that they don't have it in the data base!! WTH!!
Permalink  |
photo
ESJ247
I eat micro-bio with milk.
453 Fans
01:16 PM on 01/16/2012
I have an account with them but I never received an email.
Permalink  |
photo
Roxy Pinson
26 Fans
01:20 PM on 01/16/2012
Me neither.
Permalink  |
photo
HUFFPOST SUPER USER
PartisanLove
doh
214 Fans
04:58 PM on 01/16/2012
try to login and it sends it again. I did that and finally got the email with the link to reset the pword.
Permalink  |
photo
Roxy Pinson
26 Fans
01:09 PM on 01/16/2012
Still waiting since 11 AM this morning for their email to change my password!!
Permalink  |
RecreationalPilot
1158 Fans
12:38 PM on 01/16/2012
Folks... before doing a password reset or signing on...

Make sure you properly type in the URL and verify you are on their site.

DO NOT, UNDER ANY CIRCUMSTANCES CLICK A URL IN AN EMAIL.

Open up a separate browser session. If you reply from an email, you might get hijacked!
Permalink  |
photo
HUFFPOST SUPER USER
RealityMyFriend
HOPE 2012
160 Fans
12:05 PM on 01/16/2012
Their new password reset function does not function.
Permalink  |
photo
HUFFPOST COMMUNITY MODERATOR
Gudrun
My micro-bio is empty
2263 Fans
 
04:16 PM on 01/16/2012
I guess I will give it a few days and then try. In the meantime, I won't click on any links that are sent to me from Zappos.
Permalink  |
HUFFPOST SUPER USER
DanInAustin
Got 99 problems but dang that's a lot of problems.
139 Fans
11:57 AM on 01/16/2012
Credit card companies need to get with the times. They need to issue one-time-use credit card numbers for online use and much more security around permanent credit cards. "Verified by Visa" and similar programs are a start, but they're not there yet.

As it stands now, there are only 4 pieces of information a thief might need to use your credit card: the card number, the expiration date, the verification code on the back, and your address. It's not an issue for online shopping, but in the real world, 3 of those things are embossed on the card!

I prefer to use Paypal whenever possible. Sure, they're an evil corporation and sure, they're probably not any more secure than anyone else, but at least you're giving your card info to one site instead of 12.
Permalink  |
photo
eric14
1108 Fans
 
01:01 PM on 01/16/2012
I keep asking this question. I am not sure I am explaining myself well.

Why can't I set up an account online with an entirely false identity, then have my bank transfer money into it - from the bank - then debit my account? I buy goods which are delivered for pick-up to a local retail outlet. I prove my ''identity'' at pick-up with data from payment process.

This way, I do not use my name address, bank of card details.
Permalink  |
This user has chosen to opt out of the Badges program
sillyfrog
Pastafarian UU student
1753 Fans
01:44 PM on 01/16/2012
I think you can do that. Probably start with a small local bank or credit union.
Permalink  |
photo
HUFFPOST SUPER USER
wilray
50,000 Screaming Fans (Ignore that other number)
782 Fans
02:20 PM on 01/16/2012
When setting up an account with Paypal there is a verification process. If you are trying to say that you don't want Paypal to have your identity then you will have a problem. If you are saying that you don't want other online vendors having your information, then that is what Paypal is for. Some vendors may ask for additional info, however Paypal does not require it. With many vendors you can put them items in your shopping cart and then proceed to Paypal check out

Also, there is more than one type of Paypal account. There are basic, premium, and business accounts. You can have two accounts - a basic account and a premium or business account. You can have multiple profiles with the accounts meaning each profiles seems like a different account - different email, different banking, different address and shipping address. In fact, the business account is designed to allow businesses to have multiple personnel use the account while restricting some administrative functions.

BTW, Paypal also has student accounts. Parents create and fund student accounts from their own accounts.
Permalink  |
photo
HUFFPOST SUPER USER
Skotyman
My micro-bio tches
151 Fans
02:01 PM on 01/16/2012
BofA has a thing called SafeShop or ShopSafe...that generates a CC number, security code, expiration date and charge limit for single uses. It"s basically a camaflauge for your CC. A bit of hassle but a good idea.
Permalink  |
 
Page: 1 2  Next ›  Last »  (2 total)