Zappos.com hacked; 24 million customers affected
Zappos.com is asking its 24 million customers to reset their passwords.
January 16th, 2012
07:45 AM ET

Zappos.com hacked; 24 million customers affected

Online retailer Zappos.com is asking its 24 million customers to reset their passwords after a cyberattack, according to a posting on the company's website.

"We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky," says the posting, which was sent out as an e-mail from company CEO Tony Hsieh to Zappos employees on Sunday.

The company said it had expired and reset customers' passwords and would be sending an e-mail with further instructions to all its customers. It also posted password reset instructions on its website.

Zappos said that hackers gained access to customers' names, e-mail addresses,  billing and shipping addresses, phone numbers, and the last four digits of credit card numbers and encrypted passwords.

Full credit card numbers and other payment info were stored on a separate server which was not hacked, the company said.

Because it expects a deluge of phone calls related to the hacking, Zappos said it was temporarily turning off its phones and would answer all inquiries by e-mail.

"If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place," the company's e-mail to employees said.

"We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident," Hsieh's e-mail said..

The e-mail also went out to customers of Zappos discount website, 6pm. com.

While large, the hacking attack was not the largest of the past year. In April, Sony's PlayStation Network, with 70 million customers, was hacked, with an "unauthorized person" obtaining users' names, home addresses, e-mail addresses, birth dates and passwords, according to Sony.

soundoff (268 Responses)
  1. Rusty

    Sweet! What a way to handle the 'deluge of calls' expected! Instead of 'staffing up' to insure your customers are taken care of and their concerns answered, just turn your phone off! HAH! Glad I'm not a customer of this company!

    January 16, 2012 at 3:29 pm | Report abuse |
    • JJ

      Zappos is actually a great company ... you can expect them to staff up to handle a million phone calls.

      January 16, 2012 at 3:39 pm | Report abuse |
    • J R Brown

      Didn't you read the article...? If only a small percentage of their customers call, that's MILLIONS of phone calls. "Staffing up" would be a ridiculously stup!d idea. They're handling it the most efficient way possible for everyone.

      January 16, 2012 at 5:00 pm | Report abuse |
  2. TheScampiCat

    I just hope that in their cause to teach the towers of power a lesson, Anonymous tries to keep in mind all the 000's of people just like themselves (though lacking in A's computer hacking skills), that wind up as collateral damage. Unless, of course, their agenda includes the little people of the world as well.

    January 16, 2012 at 3:34 pm | Report abuse |
    • kbeez

      Who says anonymous is involved? Not all hackers are the same, they come from all walks of life. Some use their skills for criminal purposes, others for political agendas, etc. To pin something arbitrarily on the only hacker group "you" know is like saying every terrorist action is due to Al-Qaida because that is the only terrorist group you are aware of. That is both uninformed and may lead others to misdirect their frustration with a group that has hacked Mexican Cartels' network in a show of their defiance.

      January 16, 2012 at 3:52 pm | Report abuse |
    • Research In Mutton

      This is more likely disenfranchised Asian sweatshop workers tired of making cheap goods for overseas Zappos markets than Anon.

      January 16, 2012 at 6:07 pm | Report abuse |
  3. bubba

    That's why I NEVER store anything on a retailer's web site.... I always to 'quick-checkout' without registering on the site.

    January 16, 2012 at 3:49 pm | Report abuse |
    • TC

      It really doesn't matter if you do a "quick-checkout" or not. All your information is saved on the server anyway. This how the company can look you and you order up if you call with a question, or make a refund if need be. The only difference between signing up and not is that you (as the customer) have to enter in your info every time you make a purchase. Security-wise, having an account means that someone can login and use it if they have your password (like your kid if they get ahold of your credit card and decide to help themselves to some retail therapy). If someone is sophisticated enough to be a hacker, it's not going to matter if you have an account or not. They're not going to hack just your account. They're going to hack the server with the collective information of thousands on it.

      January 16, 2012 at 6:12 pm | Report abuse |
    • Sam101

      That is what I'm going to do from now on. I'm going on any sites I've been on and erasing all I can. Criminals ruin it for everyone.

      January 16, 2012 at 6:16 pm | Report abuse |
    • Stan Robinson

      I totally agree w/you about storing stuff on a web site. Most of the time you can't avoid it though. They have you where they want you. What REALLY ticks me off is when you have to hand over a CC number where it's NOT required. Case in point – Roku. Even though you have no intention of buying content from their "store", they REQUIRE you to enter a vaild CC number just to activate the device. That's the device that you already paid for!! Dirtbags. They'll be hacked sooner or later, you just watch.... Then will come the predictable "apology". Yeah, thanks a lot, morons.

      January 16, 2012 at 6:45 pm | Report abuse |
  4. Just.The.Facts

    Shop locally or loose your economy.

    January 16, 2012 at 3:50 pm | Report abuse |
  5. Shel

    I got emails from Zappos and 6PM indicating I needed to reset my password.

    January 16, 2012 at 3:52 pm | Report abuse |
  6. john

    now ur wishin we still had Ma and Pa stores. hmmm. Also, gotta love that Due care and Due diligence. Reality is the hacking was prob from within. good luck with that Zappos.

    January 16, 2012 at 4:00 pm | Report abuse |
  7. Private

    A website called Care2 with over 18 million members was just nailed by hackers less then two weeks ago... I wonder if it is the same hackers who nailed Zappos!

    January 16, 2012 at 4:51 pm | Report abuse |
  8. Ryan

    Umm, what is Zappos anyways? I went to their site but it says they aren't allowing international people to view their site..

    January 16, 2012 at 4:54 pm | Report abuse |
    • JJ

      @Ryan. Zappos is online clothing store (not a brand). Started being a shoe store (hence I imagine the Zappos, from Zapatos in Spanish), is much like the Clothing Department at Amazon (in fact, Zappos owner) except with a bigger selection and more pictures/modeling for the products.

      January 16, 2012 at 5:58 pm | Report abuse |
    • 8675

      shoes

      January 16, 2012 at 5:59 pm | Report abuse |
  9. J R Brown

    Didn't you read the article...? If only a small percentage of their customers call, that's MILLIONS of phone calls. "Staffing up" would be a ridiculously stup!d idea. They're handling it the most efficient way possible for everyone.

    January 16, 2012 at 4:59 pm | Report abuse |
  10. agFinder

    I'm in IT and this is not 'that big' of a deal. Your name and address is available from the phone company (or even your mobile provider), email isn't a secure item, and neither is credit card last four. Their 'really' secure server didn't get breached (and was probably encrypted anyway). Only reason to worry here is if you're using your banking username/password for shopping as well – and in that case you deserve to lose at least a big chunk of your dough because that's the only thing that's going to get you to pull your head out of your a$$.

    January 16, 2012 at 5:21 pm | Report abuse |
    • John Chambers

      OK.. Wise A*ss.. Why dont you spend time to catch a real hacker.. oh wait you are just a help desk level 1 idiot.!

      January 16, 2012 at 6:14 pm | Report abuse |
    • Bill Gates

      Oh yeah.. Spoken like true wannabe(failed) geek! Real IT expert do not even bother to comment..

      January 16, 2012 at 6:16 pm | Report abuse |
    • Nick A

      Some people use the same password for their site accounts as they do for their email account. In that case people should be concerned. If they were stupid enough to use the same passswords. My advise to anyone who had their email password the same as their Zappo's account password is to change your email account password ASAP and never use the same email password on other accounts.

      January 16, 2012 at 7:16 pm | Report abuse |
  11. Thabluprint

    at least it isn't something we care about, like PSN :)

    January 16, 2012 at 5:24 pm | Report abuse |
  12. bhosie

    Zappos didn't lie. I got the email early this morning.

    January 16, 2012 at 6:14 pm | Report abuse |
  13. Steve

    The passwords were not encrypted, they were hashed. Learn the difference CNN.

    January 16, 2012 at 6:31 pm | Report abuse |
    • itscion

      The passwords are encrypted on the backend and hashed on login. They are correct.

      January 16, 2012 at 7:35 pm | Report abuse |
    • Now Now

      Isn't hash something you smoke, dude? The 90's are calling and want their obsolete programming technique back.

      January 16, 2012 at 7:41 pm | Report abuse |
  14. Nick A

    Some people use the same password for their site accounts as they do for their email account. In that case people should be concerned. If they were stupid enough to use the same passswords. My advise to anyone who had their email password the same as their Zappo's account password is to change your email account password ASAP and never use the same email password on other accounts. If they hacked your email address and your Zappos passowrd they can take control of your email and reset all passwords to other accounts by requesting new passwords to be sent to the email they now have control of..

    January 16, 2012 at 7:20 pm | Report abuse |
  15. Scott Davis

    what is the PROBLEM with Zappos? I had a $318 fraudlulent charge on my Visa from Zappos 4 months ago. I had to cancel my account and get a new number. What a pain. Zappos system is a joke-be careful! They didn't even offer me anything for the incredible hassle of changing everything.....

    January 16, 2012 at 7:37 pm | Report abuse |
1 2 3 4 5 6 7 8 9