Hacker infiltrates Zappos network, gets customer info but not full credit cards

Amazon.com’s Zappos and its sister shopping site 6pm are informing users this weekend that portions of their internal network and systems have been infiltrated in a cyberattack. Full credit-card and payment data were not accessed, according to messages from Zappos CEO Tony Hsieh to employees and customers.

Still, customers will be required to reset their passwords as a precaution.

Here’s what Hsieh writes in his message to customers …

Subject: Information on the Zappos.com site – please create a new password

First, the bad news:

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer accountinformation on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

THE BETTER NEWS:

The database that stores your critical credit card and other payment data was NOT affected or accessed.

SECURITY PRECAUTIONS:

For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password.

We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.

PLEASE CREATE A NEW PASSWORD:

We have expired and reset your password so you can create a new password.

Please create a new password by visiting Zappos.com and clicking on the ”Create a New Password” link in the upper right corner of the web site and follow the steps from there.

We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at passwordchange@zappos.com

It’s the latest in a string of these types of incidents, most recently involving the live blogging platform CoverItLive, which sent a similar message to its users Friday evening.

  • http://twitter.com/Caymengdup Caymen

    thank fucking god.. shit scared the christ out of me

  • Longtime Zappos Customer

    If I am reading this correctly, it sounds like Zappos was storing user passwords in an insecure manner, possibly without a salt or with too simple hashing algorithm. Otherwise, they would not be suggesting you change passwords on other web sites. It would be interesting to find out the truth.

  • Guest

    Thank you to Tony for taking ownership of the issue and for communicating proactively with customers. A good customer-obsessed culture must be the bearer both of good news and of bad news in a timely manner.

  • Dave

    Quick response, but the standard is to offer credit monitoring after a security breach, particularly a hack. Understand they did not lose credit card information but the combination of information lost sure looks sufficient to start an ID theft.

  • Dave

    Quick response, but the standard is to offer credit monitoring after a security breach, particularly a hack. Understand they did not lose credit card information but the combination of information lost sure looks sufficient to start an ID theft.