hacked; 24 million customers affected is asking its 24 million customers to reset their passwords.
January 16th, 2012
07:45 AM ET hacked; 24 million customers affected

Online retailer is asking its 24 million customers to reset their passwords after a cyberattack, according to a posting on the company's website.

"We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky," says the posting, which was sent out as an e-mail from company CEO Tony Hsieh to Zappos employees on Sunday.

The company said it had expired and reset customers' passwords and would be sending an e-mail with further instructions to all its customers. It also posted password reset instructions on its website.

Zappos said that hackers gained access to customers' names, e-mail addresses,  billing and shipping addresses, phone numbers, and the last four digits of credit card numbers and encrypted passwords.

Full credit card numbers and other payment info were stored on a separate server which was not hacked, the company said.

Because it expects a deluge of phone calls related to the hacking, Zappos said it was temporarily turning off its phones and would answer all inquiries by e-mail.

"If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place," the company's e-mail to employees said.

"We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident," Hsieh's e-mail said..

The e-mail also went out to customers of Zappos discount website, 6pm. com.

While large, the hacking attack was not the largest of the past year. In April, Sony's PlayStation Network, with 70 million customers, was hacked, with an "unauthorized person" obtaining users' names, home addresses, e-mail addresses, birth dates and passwords, according to Sony.

soundoff (268 Responses)
  1. John Smith

    We are so sorry – we are currently not accepting international traffic. If you have any questions please email us at

    January 16, 2012 at 11:43 am | Report abuse |
  2. OregonTom

    Why would you waste time hacking into a shoe store data base? Go exercise or something.

    January 16, 2012 at 11:44 am | Report abuse |
  3. Dr Zoidberg

    thanks anonymous for exposing this corperate 1 percenters lack of securrity


    January 16, 2012 at 11:45 am | Report abuse |
  4. Liviu Blumenthal

    it's idiotic for any company to list the last 4 digits of any credit card since THAT'S ALL THAT'S NEEDED to steal the account. WE – THE CONSUMER – should demand better security for our vital information and the removal of all information that could be proliferated into discovering the rest of our information. It's high time that we demand web merchants that make plenty of money to do the most that it's possible with today's technology to protect us – otherwise – let's stop buying from these guys! It's that simple! We're in charge!

    January 16, 2012 at 11:47 am | Report abuse |
    • ELH

      I have several credit card accounts. I get a paper bill from each of them every month. On three of the four bills, the last four digits of the account (card) number are in full view somewhere on the bill. Unaccountably, on one of the bills, the full 16-digit account number appears prominently at the top of the bill, along with my address!

      Therefore, my account information is easily obtained by simply rifling my mailbox (or intercepting my mail during its travels from company to me). So much for corporate security policy and concern for the customer.

      January 16, 2012 at 12:06 pm | Report abuse |
    • Phil

      They would have to guess the other 12 numbers, in correct order and then would have to have the expiration date and CVV numbers to make it work.

      Social security numbers are easier. If you know the last four digits of mine and know where and when I was born, then you'd just fill in the blank.

      January 16, 2012 at 12:09 pm | Report abuse |
    • Justin Bieblet

      do people tend to not take you seriously? almost every bill/receipt you use with a credit card will show your last 4 numbers?

      January 16, 2012 at 12:36 pm | Report abuse |
    • Zabbot

      Spot on Phil. The last 4 digits of your CC do not expose your account much more than the fact that the card identifiers are all based on numeric digits.

      January 16, 2012 at 12:39 pm | Report abuse |
  5. bezerkur

    idk maybe because u woman have enough shoes.

    January 16, 2012 at 11:51 am | Report abuse |
  6. Jennifer

    I didn't get one, either, and I buy a fair amount from them. I checked SPAM and junk mail and no communication from Zappos.

    January 16, 2012 at 11:55 am | Report abuse |
  7. calvin

    What gets me is all these retailers (online or brick/mortar) all stress how their systems are so secure, then they get hacked. They need to know that NO system is secure. Zappos is just the latest, and there will be more.

    January 16, 2012 at 11:58 am | Report abuse |
    • snowdogg

      To the point!

      January 16, 2012 at 12:05 pm | Report abuse |
  8. jorge washinsen

    Everyone wants info at their fingertips and in the process every tom dick and harry also has access to it. Nothing is safe.People put all their secrets and pictures out for people to see.That is life in 2012.We are all hanging on a public clothes line because we demand convience.One of the worst snoopers is the government .Type in the wrong word and presto you will have a visitor.

    January 16, 2012 at 12:14 pm | Report abuse |
  9. jorge washinsen

    Someone raised the snot nosed kid who is doing this,they should be responsible for their spawn.

    January 16, 2012 at 12:17 pm | Report abuse |
  10. Mark Smith

    Stupid response – turned off their phones – sent email that goes to spam – but NOTHING on the front page of

    Web site still shows phones available, but on-line chat off.

    They owe their customers better disclosure.

    January 16, 2012 at 12:21 pm | Report abuse |
  11. 2012

    Internet hacking has increased recently on purpose so the government can have an excuse for passing SOPA

    January 16, 2012 at 12:28 pm | Report abuse |
  12. Zabbot

    If the data was encrypted then this shouldn't be much of a problem. I suspect that Zappos stored their user credentials unencrypted however based on their response to this attack. Tsk, tsk, tsk. Talk about amateur web engineering...

    January 16, 2012 at 12:34 pm | Report abuse |
    • Zabbot

      One should read an entire article before commenting. Tsk, tsk, tsk. Talk about amateur trolling.

      January 16, 2012 at 12:41 pm | Report abuse |
  13. Julian

    what a great way to get people to do some shopping. while they are updating their passwords, maybe they will wander into the website and do some shopping... it's diabolical, but it's genius!!

    January 16, 2012 at 12:37 pm | Report abuse |
  14. Jeff Runkle

    It's a GREAT time to BUY LOW! This is how it is done. Google the term "Simple Stock Cash" and click on the Top ranked non-ad site. Go to the Penny' Stock section to find out what the rich do not want you to know.For everyone that hasn't had a fair shake in life. This site is for you. I think we all deserve a change at super wealth and this is a start.

    January 16, 2012 at 12:45 pm | Report abuse |
    • Bozobub

      You fail, spammer.

      January 16, 2012 at 1:23 pm | Report abuse |
  15. SquidGal

    I am glad I do not do business with these folks. Seriously, they turn off the phones on their customers? I mean it is their sloppy security that was breached. The line about taking steps back after one incident .... would it have been OK if it was multiple incidents? Whoever wrote the memo was focused on their own woes and could give a hoot about the customers who were inconveinced.

    January 16, 2012 at 12:53 pm | Report abuse |
    • D

      Did you read the article as to why?

      January 16, 2012 at 1:50 pm | Report abuse |
    • t3chsupport

      Reading comprehension for the win!

      January 16, 2012 at 1:54 pm | Report abuse |
    • Dave H

      As was explained in the article, they don't have the manpower to handle the calls. It would be an exercise in futility to even attempt to accept hundreds of thousands (or even millions) of calls and explain the same procedure over and over again. And – sloppy security is a bit harsh. Any commercial system can be hacked. I don't care how good you are or how secure you think you are. If someone really wants in, they will get in. Not everyone has the billions the government spends on cyber security to make their websites safe. Bottom line – use of the internet with credit cards has always been a 'use-at-your-own-risk' venture. Name a large on-line retailer then google the results for hacking. You'd be hard pressed to find a company that hasn't been hacked.

      January 16, 2012 at 1:57 pm | Report abuse |
1 2 3 4 5 6 7 8 9