Zappos.com hacked; 24 million customers affected
Zappos.com is asking its 24 million customers to reset their passwords.
January 16th, 2012
07:45 AM ET

Zappos.com hacked; 24 million customers affected

Online retailer Zappos.com is asking its 24 million customers to reset their passwords after a cyberattack, according to a posting on the company's website.

"We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky," says the posting, which was sent out as an e-mail from company CEO Tony Hsieh to Zappos employees on Sunday.

The company said it had expired and reset customers' passwords and would be sending an e-mail with further instructions to all its customers. It also posted password reset instructions on its website.

Zappos said that hackers gained access to customers' names, e-mail addresses,  billing and shipping addresses, phone numbers, and the last four digits of credit card numbers and encrypted passwords.

Full credit card numbers and other payment info were stored on a separate server which was not hacked, the company said.

Because it expects a deluge of phone calls related to the hacking, Zappos said it was temporarily turning off its phones and would answer all inquiries by e-mail.

"If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place," the company's e-mail to employees said.

"We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident," Hsieh's e-mail said..

The e-mail also went out to customers of Zappos discount website, 6pm. com.

While large, the hacking attack was not the largest of the past year. In April, Sony's PlayStation Network, with 70 million customers, was hacked, with an "unauthorized person" obtaining users' names, home addresses, e-mail addresses, birth dates and passwords, according to Sony.

soundoff (268 Responses)
  1. conradshull

    Now Eastern European hackers know the shoe size of 24 million women!

    January 16, 2012 at 9:43 am | Report abuse |
  2. ABasketOfPups

    Unlike Sony, their passwords were encrypted (as it says right in the article and email) so it's no where near the annoyance. Still bites, of course, but less.

    January 16, 2012 at 9:46 am | Report abuse |
  3. PinkFloyd

    I am wondering how they 'encrypted' the password. The message I got was the hackers had the 'encrypted' password, now wondering how hard it is to hack that. Once they have the password they also have the email address, which also should of been encrypted, typically people use the same password, right?

    January 16, 2012 at 9:48 am | Report abuse |
    • John

      No. Not if they are very smart.

      January 16, 2012 at 10:35 am | Report abuse |
    • SixDegrees

      There are many encryption algorithms available. Decrypting passwords is not at all trivial with any of the standard ones. And Zappos did the right thing – they changed all affected account passwords, and had stored the most sensitive information – the full credit card numbers – completely out of reach. Far better than many larger corporations. I wouldn't be worrying about this; if you are, go change your passwords elsewhere that might be impacted.

      January 16, 2012 at 10:38 am | Report abuse |
    • Chuck

      The password is encrypted meaning that if you find just the encrypted text (ciphertext), then you literally have nothing. You need the decryption key as well to work backwards to a working password. For example, if your password was "dolphins72" then your encrypted password would be something like this: "hkjhklnJKAHI23ljsakALjljfo24312xkopjfow32wjofjdsofhsderwjo232fdsfakjoakgewr". Emails are typically not encrypted at rest because they are not typically considered sensitive data.

      So this might mean more spam for those impacted, not much else.

      January 16, 2012 at 10:39 am | Report abuse |
    • Laura

      Well another Fujitsu T5010- cant get into bios from F2. Tried the three pwsraosds. Got a 15 dgigit all number. Ran it through the program pwgen-fsi-5x4dec and out came a password that I do not recognoze. I put that in and yep I'm in the BIOS now. This doesnt appear to let me reset the current supv password though. If I try and put in anything other than certain letters the thing just beeps for current password.Ideas? Is there no way to just crack these things open and reset something. I have three doing the same thing. They want $150 to mail it in. What is it that they do diff to clear the supv password or am I doing something wrong.thankscarito

      March 14, 2012 at 9:28 pm | Report abuse |
  4. Joey Isotta-Fraschini©™

    NOT JIF @ 8:37.
    --–
    Dear Joey Isaac-Fracheeny:
    Your two-million dollar order of Depends is on back order and will arrive via UPS at our earliest convenience.
    As a courtesy of our Customer Service Departmint :) ©®, we are informing you, without charge, that Chase Bank has canceled all of your accounts, and all of your credit cards have been canceled.
    Thank you for your order.
    We look forward to serving you in the future.
    Yours in Christ,
    LaBetta Wier-Won,
    Manager-on-duty,
    Consumer Relations

    January 16, 2012 at 9:55 am | Report abuse |
  5. Pam

    I like Zappos, as well. I received the notice this morning, but unfortunately, the password reset emails aren't going out.

    January 16, 2012 at 9:58 am | Report abuse |
    • fancy

      I've not received my email either. So we wait and hope. Last four of credit card, isn't that a big deal?

      January 16, 2012 at 12:52 pm | Report abuse |
  6. DaveinSC

    On face value, it's not the end of the world if a company gets hacked. What bothers me more is as companies get more and more data from peoples cell phones about their movements, buying habits, etc., you don't really know exactly what was gleaned from the information they gleaned, nor how it can be used in the future. Companies have no legal obligation to disclose what personal information they bought from other sources on their databases, and under current law, often keep very quiet about hacking, or any other malicious activity due to bad press they would recieve. Makes you wonder just how much information about everyone that shops online is out there, and how secure your life really is.

    January 16, 2012 at 10:03 am | Report abuse |
  7. Karla Porter

    I received a straight forward professional apology and instructions via email last night. No hitches, changed it and moved on.

    January 16, 2012 at 10:09 am | Report abuse |
    • Indu

      Internet and its advantagesYou will iibubntadly impecuniousness to make use of is what gives us the Internet, turning away from the international network is stupid. Sam joyful to avail oneself of the advantages of networks and the palliate of earning it. There are uncountable people who be deficient in to help from the opportunities offered alongside the . Nay, uniform with more people choosing to do this to sit on the network to find numerous interesting things there, you superiority thirst to exercise the opportunities offered close to our , then it is our party may soon reach the customer. Uncountable people are interested in networking solutions for the ad. I personally apprehend this as a reason people who are investing in solutions instead of the prospective, as yet, had not even now up-market, and therefore damned beneficial. The Internet has no paucity of companies that are strongly planted in fact and are able to accept the advantages of continuous handbill via the Internet.

      March 13, 2012 at 4:03 am | Report abuse |
  8. Amy

    My credit card was compromised and false purchases were made over the weekend with a counterfeit card, maybe just a coincidence?

    January 16, 2012 at 10:10 am | Report abuse |
  9. nepawoods

    The email I got states "We also recommend that you change your password on any other web site where you use the same or a similar password". That could be quite a bit of a nuisance. Seriously, who uses a different password on every site they visit?

    January 16, 2012 at 10:10 am | Report abuse |
    • commoncents

      I would hope that 99% of online users would use a different password for each and every site they have an account at (blogs included). I personally write down a "hard copy" of my PW's on a piece of paper and reference that hidden paper if I get "stuck". Not a file I would want a hacker to get ahold of if my confuser was hacked (it CAN happen – look what happened here...). I'm not paranoid, I just work too hard for my money...

      January 16, 2012 at 10:25 am | Report abuse |
    • Rob Wilco

      I use a different password on every site. The nuisance factor can be lessened by a program like 1Password, among others. Highly recommended.

      January 16, 2012 at 10:27 am | Report abuse |
    • John

      I use a small hard copy regular tabbed address book so I can easily look up any password or info associated with an account.

      January 16, 2012 at 10:38 am | Report abuse |
  10. ghostwriter

    You should be concerned. A hacker gained access to their network and was able to take your personal information. And the server that contains your credit card numbers is most likely on the same network which means it is at risk of being hacked. They will correct the network perimeter security, but will they be able to identify and clean any malware, spyware, or other malicious code left by the hacker?

    January 16, 2012 at 10:11 am | Report abuse |
    • Tammi

      Definitely. The hacker charged me $420.00 for a Zappos order. Strange thing is...I don't remember every ordering from Zappos but I do order from Amazon all the time!!!!

      January 16, 2012 at 1:34 pm | Report abuse |
  11. Frank

    Imagine if everyone was honest and played by the rules.

    January 16, 2012 at 10:16 am | Report abuse |
    • shoeshopper

      My credit card was also fraudulently used at Zappos last week. Also wondering if it is a coincident or if there is more to the story. I don't know if I will shop with them again. It is unfortunate because I never had a problem with them before.

      January 16, 2012 at 10:28 am | Report abuse |
    • John

      @shoeshopper Use of your card may not have had anything to do with Zappos, my card was fraudulently used at Zappos to the tune of $600 last year and I have never shopped at Zappos. Fraud department of BofA alerted me of the purchase.

      January 16, 2012 at 10:49 am | Report abuse |
  12. Scratcher

    Lol....never heard of "Zappos".

    January 16, 2012 at 10:23 am | Report abuse |
  13. Stephanie

    I'm a very active customer. Love them. Did not receive this email from Zappos. Yes, checked spam. Just now went to their site and don't see anything about this on their main page or in their blogs. Are we sure this is for real?

    January 16, 2012 at 10:33 am | Report abuse |
    • Olga

      I received an email from 6pm.com just this morning

      January 16, 2012 at 10:42 am | Report abuse |
    • Coralie

      I received one from zappos.com this morning. I would email them asking why you hadn't received one.

      January 16, 2012 at 10:44 am | Report abuse |
    • John

      I received the email. I went to zappos.com and in the upper right corner is a dialogue box to reset password, which I did. Unfortunately, it is the same password I use for so many other online sites that I spent one hour this morning resetting most of them. If you get an email from zappos or what appears to be zappos, I would advise not clicking on any links in the email but use your browser to go to zappos.

      January 16, 2012 at 10:59 am | Report abuse |
    • quiltero

      Just wait for the email. I head about this on my morning news at 4:30am pst. The email from Zappo didn't show up in my inbox until 7:20am this morning.

      January 16, 2012 at 11:35 am | Report abuse |
    • Sarah

      I received the email at 2:03 am (EST). Like John said, I too used the same password on several sites and had to spend the morning changing all of my passwords. While obviously the low-life individuals behind this cyberattack are to blame, it is unfortunate that Zappos did not have proper security controls in place. In light of recent hacks of customer data and the backlash it can cause from customers, companies (especially internet-based companies) need to start taking this more seriously. It is not an "inconvenience" when our personal data is comprised – it is a violation. And there are going to be customers who turn away from Zappos as a result of this. Ironically, a company that experiences a large scale breach like this one is more likely to be secure going forward than other companies who have yet to fall victim but the damage to their reputation can still be hard to overcome. They'll take a hit for this for sure. And they probably should. They handled the aftermath of the attack properly but obviously, they didn't do enough to prevent it.

      January 16, 2012 at 11:35 am | Report abuse |
  14. Karen

    Zappos got an email out to customers HOURS before 6PM.com, which is their sale site. The 6PM site kept crashing while I fixed my PW on Zappos immediately. If you messaged them on Facebook they responded IMMEDIATELY. I was able to fix the 6 PM PW and I chose different PW's for both. Before commenting fnd out WHAT was hacked and be familiar with Zappos which is a premiere company.

    January 16, 2012 at 10:36 am | Report abuse |
  15. oldironeagle

    The Joys of buying on the web

    January 16, 2012 at 10:44 am | Report abuse |
1 2 3 4 5 6 7 8 9