hacked; 24 million customers affected is asking its 24 million customers to reset their passwords.
January 16th, 2012
07:45 AM ET hacked; 24 million customers affected

Online retailer is asking its 24 million customers to reset their passwords after a cyberattack, according to a posting on the company's website.

"We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky," says the posting, which was sent out as an e-mail from company CEO Tony Hsieh to Zappos employees on Sunday.

The company said it had expired and reset customers' passwords and would be sending an e-mail with further instructions to all its customers. It also posted password reset instructions on its website.

Zappos said that hackers gained access to customers' names, e-mail addresses,  billing and shipping addresses, phone numbers, and the last four digits of credit card numbers and encrypted passwords.

Full credit card numbers and other payment info were stored on a separate server which was not hacked, the company said.

Because it expects a deluge of phone calls related to the hacking, Zappos said it was temporarily turning off its phones and would answer all inquiries by e-mail.

"If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place," the company's e-mail to employees said.

"We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident," Hsieh's e-mail said..

The e-mail also went out to customers of Zappos discount website, 6pm. com.

While large, the hacking attack was not the largest of the past year. In April, Sony's PlayStation Network, with 70 million customers, was hacked, with an "unauthorized person" obtaining users' names, home addresses, e-mail addresses, birth dates and passwords, according to Sony.

soundoff (268 Responses)
  1. Jazzy

    Ya know my first thought was, "that's so sad to happen to someone who's just trying to make a living", meaning the company's owner. Second thought was, Hmmm wonder if other *hackings* into businesses where fakes from the company it self for free publicity. Well ? It could happen. 😉

    January 16, 2012 at 8:01 am | Report abuse |
    • Never Assume

      Or, it could be aliens from Zork. Can I borrow your tin foil hat?

      January 16, 2012 at 8:06 am | Report abuse |
    • Bill

      Don't use logic or you will be called a crazy conspiracy theorist.

      Who do you REALLY think creates computer viruses, worms, trojans, etc? Big computer anti-virus corporations. That's how the world works. But the kiddies don't want to accept it.

      January 16, 2012 at 8:33 am | Report abuse |
    • rob

      It could happen, and some people claim any publicity is good publicity. However, what your suggesting is like a bank faking a vault robbery in order to get more customers. Not gonna happen.

      January 16, 2012 at 8:46 am | Report abuse |
    • joe

      That makes a lot of sense. Invent a cyber attack which may make customers think their personal information including credit card numbers etc. may have been stolen in order to gain free publicity. I've got another idea for free publicity: A restaurant could create a false report with the heath department that it is infested with rats which would certainly make the evening news. Business would certainly double if not triple.

      January 16, 2012 at 8:47 am | Report abuse |
    • ???

      Ok, whoa, way off there! Why would, I, try to eat at a restuarant that "claims" to be infested with rats? A little common sense and elbow grease here, do you really think customers at some clothing manufacturer is going to buy more of their products after a cyberattack, let alone stick with their online accounts? Rather drive over to a Gap store and buy new pants than do something as asinine as that to the point where it's saying, "Hey I am an overly persistent customer at a high profit clothing company! Hack me!"

      January 16, 2012 at 9:07 am | Report abuse |
    • Tammi

      If that's the case then they went too far cause someone charged $420.00 to my bank card over a week ago and it wasn't me. I had to cancel my card and was able to cancel the order that was being shipped to somoene in Murray, Kentucky. I live in Indiana and they had my mailing address and my credit card number!

      January 16, 2012 at 1:18 pm | Report abuse |
    • Tammi

      Someone charged my debit card over $400 to Zappos over a week ago and it wasn't me. Had to wait over a week to get my money back! Also had to cancel my card!

      January 16, 2012 at 1:19 pm | Report abuse |
  2. Wow

    That sucks!

    January 16, 2012 at 8:04 am | Report abuse |
  3. Mark

    reset your passwords... never mind all the other personal info they obtained.
    And you always read "we won't contact you by email"... and yet they are.

    January 16, 2012 at 8:05 am | Report abuse |
    • dragonwife

      The "not contacting by e-mail" is normally used either to mean "we won't solicit you by e-mail" or to try to ensure the customer doesn't respond to hackers attempting to get account access by sending one of the phony "please give us your info again" e-mails. This one was telling the customers about the hacking, and advising them to make sure they reset their passwords. Big difference. And as for Zappos telling customers to reset and/or monitor other info, is it their responsibility to make sure the customer is a big girl (or boy) and takes care of all that? Nope.

      January 16, 2012 at 10:53 am | Report abuse |
  4. RUFFNUTT ( south Yemen prison GUARD )

    THAT SUCKS.. well i;'ll guess i'll change it to 7654321...

    January 16, 2012 at 8:14 am | Report abuse |
    • notruffenuff

      Hey – That's MY password, you can't use that one!

      January 16, 2012 at 8:30 am | Report abuse |
    • kc_and_fa

      That was Zappos pw. Don't use it. It's been hacked!

      January 16, 2012 at 8:41 am | Report abuse |
  5. Jazzy

    @ Never Assume, Anything can happen in this life. C'mon man give me a break! I only got 2 hats left, go get your d a m n hat. lmao 😉

    January 16, 2012 at 8:14 am | Report abuse |
  6. Jazzy

    Rather "your *own* d a m n hat"

    January 16, 2012 at 8:16 am | Report abuse |
  7. Mike Distance

    Don't blame Zappos it's not their fault, make it impossible to hack and there will be no hacking. The answer is pretty clear hear, things are way to wide open. Internet and anonymity mix like water and oil, they don't. It's time to put a fingerprint to every browsing session.

    January 16, 2012 at 8:25 am | Report abuse |
    • Amber

      Be careful what you wish for. This could all be a set up and the next step toward the communist takeover by the wacko leftists in our own US govt in order to protect us from ourselves. I do not want BIG BRO looking everywhere I go for no reason.

      January 16, 2012 at 8:39 am | Report abuse |
    • ???

      Let me assure you, you cannot look over your should every day, even if you feel like something is watching and it really is for good reason. The fact that big brother is watching everyone is derogatory, but true because how do you think the we know how many people are currently walking the planet. As for what Mike said about the fingerprinting is an ingenus idea since, like neighbors, you can never know your customers well. A relative of mine once told me that the NRA should recommend arms shops to install fingerprinting devices for background checks and she said the same thing about banks. Maybe if we want to at least quash hacking in the digital system, we can at least try to know who our enemies are before securing ones servers. I doubt that McAfee is even updated enough to battle these evil cybernetic hackers. The last thing this planet needs is cyberterrorism and it is bad enough we have pirates and Al Quada on our hands. They already made a movie on cyberterroism with Bruce Willis in it and trust me, leave out the special effects and unrealistic action, and you have a heck of a chaotic world, if you know what I mean.

      January 16, 2012 at 8:53 am | Report abuse |
    • jonasir

      Wouldn't make a blind bit of difference. The hacker didn't guess everyone's password – he hit a server which contained all of this information.

      January 16, 2012 at 9:23 am | Report abuse |
  8. ummyaa

    I guess the cost of having a secure network isnt worth it for these companies. Couple million in lost sales or state of the art network...hmmm.

    January 16, 2012 at 8:27 am | Report abuse |
  9. southern_gent_from_mississippi

    Never heard of the company but after reading the story about their non existant customer service department (shutting the phones off in anticipation of customer complaints), I defintiely wouldnt deal with them in the future.

    January 16, 2012 at 8:29 am | Report abuse |
    • AGuest9

      Apu didn't want to answer questions.

      January 16, 2012 at 8:45 am | Report abuse |
    • Saith

      They have already explained all attention is being diverted to emails. Why should they let their phone system crash when inundated with millions of calls? I think email was a really smart way to cover it.

      January 16, 2012 at 9:05 am | Report abuse |
    • What would you do?

      So, lets say 1 million people call in, what are they supposed to do? Customer service doesn't always mean getting on the phone. It means getting things fixed and admitting that they made a mistake. In normal, non-escalated situations their customer service is bar-none. Google Zappos customer service. Read what people say. People love what they do and how they care.

      Just answering the phone and sitting on the phone with some idiot who wants to rant about privacy for 2 hours helps no don't pretend you'd be able to do anything better.

      I'm interested to hear how you'd handle the situation.

      January 16, 2012 at 10:32 am | Report abuse |
  10. Jazzy

    @ Bill, LMAO 🙂

    January 16, 2012 at 8:35 am | Report abuse |
  11. southern_gent_from_mississippi

    Rooney, a quick google search tells me that Amazon owns zappos. You really think Amazon cant handle the calls? Just poor service all around, thats all.

    January 16, 2012 at 8:36 am | Report abuse |
    • Yep

      How many times have you called amazon?

      January 16, 2012 at 9:03 pm | Report abuse |
  12. Dan G.

    Probably by the cyber criminals anonymous who will buy a few pairs of shoes for the poor and use some of the money for themselves along with the identify theft and make believe they did it for a good cause as they do with all their criminal acts.

    January 16, 2012 at 8:39 am | Report abuse |
  13. Manuel J.

    I think everyone is missing a key point. Cybercrime should be redefined from a "white collar crime" to a "capital offense".

    For those opposing, I don't think a capital offense is cruel and unusual punishment when the perpetrator has caused, in many cases, irreparable harm to people (e.g. stealing & selling of social security numbers, credit card numbers, etc.).

    January 16, 2012 at 8:40 am | Report abuse |
  14. AGuest9

    Resetting customers' passwords is the LEAST of their concerns.

    January 16, 2012 at 8:43 am | Report abuse |
  15. Mike

    That's too bad. Zappos has always had the best selection and service on the internet. My dealings with them have actually been a pleasure. I hope this doesn't impact their business.

    January 16, 2012 at 8:49 am | Report abuse |
1 2 3 4 5 6 7 8 9