Online retailer Zappos.com is asking its 24 million customers to reset their passwords after a cyberattack, according to a posting on the company's website.
"We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky," says the posting, which was sent out as an e-mail from company CEO Tony Hsieh to Zappos employees on Sunday.
The company said it had expired and reset customers' passwords and would be sending an e-mail with further instructions to all its customers. It also posted password reset instructions on its website.
Zappos said that hackers gained access to customers' names, e-mail addresses, billing and shipping addresses, phone numbers, and the last four digits of credit card numbers and encrypted passwords.
Full credit card numbers and other payment info were stored on a separate server which was not hacked, the company said.
Because it expects a deluge of phone calls related to the hacking, Zappos said it was temporarily turning off its phones and would answer all inquiries by e-mail.
"If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place," the company's e-mail to employees said.
"We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident," Hsieh's e-mail said..
The e-mail also went out to customers of Zappos discount website, 6pm. com.
While large, the hacking attack was not the largest of the past year. In April, Sony's PlayStation Network, with 70 million customers, was hacked, with an "unauthorized person" obtaining users' names, home addresses, e-mail addresses, birth dates and passwords, according to Sony.
Never save your cc info for further payments to a site. Always use a one time payment option.
Or a prepay card
Credit card information may have not technically been breached, but that doesn't mean fraudulent charges won't be showing up on Zappos customers accounts. We spotted a fraudulent $1200 pending Zappos charge on our credit card account right before Christmas. We spotted it because we check our account frequently online.
If a thief hacks into your Zappos account, they can order merchandise from Zappos using the credit card number you've stored in your account profile, and ship the goods to a different address than your own. Surely Zappos knows this. They ought to be warning consumers to check their credit card accounts for fraudulent Zappos charges.
I suspect there's going to be more to this story...a lot more...when people start looking at their January credit card bills.
Yes, they know this. That's why they reset all account passwords, as mentioned in the article.
If you had something happen right before Christmas, then are you saying they got hacked a long time ago and are just releasing the information now?
I saw a sick person yesterday, and now I'M sick. It MUST have been that person!! It couldn't possibly be that time I wiped by backside poorly and didn't wash my hands! With 24 million customers involved, surely not a single one will have seen an unrelated Zappo's related fraud problem in the last couple of months!
Happened to me two weeks ago!
So at least they did something smart – they didn't store everything in one place, so the full credit card numbers from customer accounts are untouched. And from the sounds of it, they released this information quickly, unlike many companies that sit on it for weeks or never release it at all. Still, it would be nice if there were a standard protocol in place for protecting networked business systems like this. Every one of them currently is unique and ad hoc to large degrees, making them security nightmares.
Agreed. I think they've handled it all very well – haven't lost my business!
How do you know for a fact that they didn't sit on this for weeks?
They stepped up, admitted it, and immediately took steps to take care of it. I don't think they've lost any ground. Hackers are smart and incredibly hard to combat.
Generally agree; this is a much better response than several other large corporations that have sat on information about break ins for weeks, or never released it at all.
You are like kids playing with fire. They got our ENCRYPTED information? If you can't do it right, don't do it at all. You endanger the financial well-being of people, and cheap shoes are not worth it.
Uh – the fact that the passwords were encrypted is a GOOD thing. It means they can't be read or used without decyphering them. They are effectively useless. And now that Zappos has changed them all, they are useless even if unencrypted.
People need to realize computer security is just like a normal lock. Its really just there to keep honest people honest. If we all went by your standard of "If you can't do it right, don't do it" then we might as well delete all of our online accounts right now and go back to the 1950s.
and you think that encrypted info can't be de-crypted ? Please.....
So once they're decrypted...so what? They're useless. Read the article. Even that's assuming a lot – decryption isn't the walk in the park comic books make it out to be.
Actually encrypted passwords are quite handy. The key is not to decrypt them, but to re-encrypt a master list of words/phrases/strings and match the encryption string since you have the original word/phrase to make the password. Then take those email addresses and brute force try them out b/c many people re-use their passwords across websites.
Hats off to them for announcing it though and not hiding it like other large companies that try to keep a lid on things or believe in bogus mantras like 'need to know basis,' that only let the priviledged in on weaknesses.
This is actually a very reputable company and their customer service is fantastic. As a long time customer I understand shutting off the phones. The millions of calls trying to come in would crash their systems and maybe impact their ability to mitigate their issues with being hacked. I'm sure they are probably using a VOIP solution which means millions of phone calls could take down their other servers.
Their security is actually pretty good as they incorporate SSL, Verisign, Trustwave and use industry standard firewalls. Nothing is 100% secure. There will always be hackers and they will always find a way to get in. The weakest link for any company is always their individual employees. Most often, it is an inside job. I don't know the details in this case but I feel confident Zappos is doing their best to protect their customers.
They got enough information to charge my debit card $420.00 worth of merchandise two weeks ago. Took me a week to get my money back and this was because I was able to cancel the order before they shipped it!
Yes, saith, they stepped in, admitted what happened and said, dont bother calling, we dont care, were pulling the plug on the phones. What a joke! And dont pretend that Amazon couldnt handle a million calls. Theyre fully owned by amazon. And guess what, maybe next week theyll come back and say, 'oh no, that email you sent more info to, hackers have been hacking it also.' What a joke of a company.
I have been buying on Zappos for years, and I shop there a lot. Why didn't I receive this email???? Their customer service is usually great, but obviously they didn't send the email to everyone.
They are only sending it to those with compromised accounts. I've bought stuff through Zappos before, but I've never opened an account there, preferring to do the purchases as one-off transactions.
Just because Amazon is the parent company doesn't mean that all their systems are integrated. I worked for a company owned by a large investment firm. Our network and phone system was entirely separate from theirs. We had a completely independent network and data center. This is the case for many companies which are owned under an umbrella of a larger company.
These over-priviliged, never got their finger nails dirty will never do anything good for Humanity. When we catch them (and we will) we need to remove their Testicles so they can't spread their seed.
My credit card was flagged for fraud 3 days ago for fraud by BOA , I bought a pair of shoes on Zappos for a Christmas gift in early December ,and rarely use my card for anything else......I highly encourage you to go over your recent transactions as I believe more was hacked than they are letting on.
What the heck is zappos? Is that another Republican candidate for president I didn't know about?
Guess I should be glad I never heard of Zappos until today.
With Zappos, I'm not worried. They will and are getting a handle on it. I've had the best service and shoes from them since 2003. I do not buy shoes anywhere else and don't intend to.
I'm worried for those 24 million. Many people have bad practices, such as using the same password for multiple websites. The hackers know their plain-text passwords as well as their email addresses. Care to guess at a percentage of folks that have the same password for both Zappos and their email?
I'd bet quite a few!
Scotty – the passwords obtained are encrypted, not plain-text. To the best of my knowledge, no one stores passwords in plain text, a practice that disappeared several decades ago. While decryption is possible, it is not simple, especially in a case like this where each password will be encrypted using a different key.
^^ on the Zappos payroll
Nah, you've just never done business with them. They're quirky, likable, reasonably priced, and actually empower their employees to do right by their customers.
I bought boots for my daughter's Chun Li costume and have been a fan ever since. :-P
This blog – This Just In – will no longer be updated. Looking for the freshest news from CNN? Go to our ever-popular CNN.com homepage on your desktop or your mobile device, and join the party at @cnnbrk, the world's most-followed account for news.