Zappos.com Customer Database Breached, Info on More Than 24 Million Customers Potentially Accessed

No credit card or other payment information seems to have been taken, however

2 min read
Zappos.com Customer Database Breached, Info on More Than 24 Million Customers Potentially Accessed

According to news reports like this one at PC World and a letter to its customersZappos.com, the online shoe and apparel company was the victim of a cyberattack. A customer database containing information on more than 24 million Zappos customers was hacked. The shoe company, which was founded in 1999, was bought in 2009 by Amazon.com for over US $900 million. 


Zappos informed its customers in the letter that the good news was:

"The database that stores your critical credit card and other payment data was NOT affected or accessed."

However, the bad news, Zappos said, was that:

"... there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password)."

As a result, the Zappos decided to reset customer passwords, and it recommended that,  "... you change your password on any other web site where you use the same or a similar password."

A ZDNET blog post on the incident reinforces the importance of that advice. It points to a recent academic study reporting that "... among [common] customers of the Gawker and rootkit.com sites whose passwords were stolen and exposed, 76 percent used the same password at both sites." The post also talks about how the information gleaned from Zappos.com could be used for targeted attacks or even impersonations at other websites.

Zappos also warned customers about the possibility of phishing emails, supposedly originating from Zappos.com, asking for personal information .


Tony Hsieh, Zappos CEO, also sent a letter to company employees that gave a bit more information about the attack:

"We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with law enforcement to undergo an exhaustive investigation."

The letter also informed all of its employees at its headquarters, "regardless of department," that they would be helping assist customers with their password change process. Hsieh also said that the company was going to be temporarily turning off the company's phones and asking customers to contact it by email if they had questions or problems. The fear is that if customers tried to call, the company's phone system would be overwhelmed.

The PC World story says that non-US customers have not been able to access the Zappos.com website. Those who tried were met with a message telling them that, "We are currently undergoing some system maintenance that has limited our international customers in accessing our web site."

So far, how the Zappos.com database was breached or for how long has not been disclosed.

Zappos apologized to its customers for the inconvenience, stating on its web site that: "We understand that the safety of your personal information is extremely important to you," and that, "We use a wide array of electronic and physical security measures and devices to protect your personal data and credit card information from unauthorized access."

This incident , like the many others before it, should encourage Zappos and most online retailers, to do more than meet just the PCI standards for credit card encryption and start encrypting other customer data such as email and physical addresses as well.

The Conversation (0)

The Cellular Industry’s Clash Over the Movement to Remake Networks

The wireless industry is divided on Open RAN’s goal to make network components interoperable

13 min read
Photo: George Frey/AFP/Getty Images
DarkBlue2

We've all been told that 5G wireless is going to deliver amazing capabilities and services. But it won't come cheap. When all is said and done, 5G will cost almost US $1 trillion to deploy over the next half decade. That enormous expense will be borne mostly by network operators, companies like AT&T, China Mobile, Deutsche Telekom, Vodafone, and dozens more around the world that provide cellular service to their customers. Facing such an immense cost, these operators asked a very reasonable question: How can we make this cheaper and more flexible?

Their answer: Make it possible to mix and match network components from different companies, with the goal of fostering more competition and driving down prices. At the same time, they sparked a schism within the industry over how wireless networks should be built. Their opponents—and sometimes begrudging partners—are the handful of telecom-equipment vendors capable of providing the hardware the network operators have been buying and deploying for years.

Keep Reading ↓ Show less