Zappos Suffers Data Breach, Forces Customer Password Change

16 January 2012 | 11:19 AM ET | Paul Wagenseil, SecurityNewsDaily Managing Editor

Online shoe retailer Zappos.com suffered an intrusive data breach possibly affecting all of its 24 million registered customers, according to emails the company sent to staffers and employees Sunday night.

"We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky," said Zappos chief executive officer Tony Hsieh in an email to employees Sunday. "We are cooperating with law enforcement to undergo an exhaustive investigation."

Zappos, an independently operated subsidiary of Amazon headquartered in the Las Vegas suburb of Henderson, Nev., has its main fulfillment warehouse in Shepherdsville, Ky., just south of Louisville.

In a subsequent email to customers titled "Information on the Zappos.com site - please create a new password," the company listed the customer details to which there may have been "illegal and unauthorized access": "your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password)."

In "better news," the email read, "critical credit card and other payment data was NOT affected or accessed."

Admirably, Zappos is now forcing all customers to change their passwords.

"We have expired and reset your password so you can create a new password," the email to customers read. "Please follow the instructions below to create a new password."

The password-change process, which you can initiate here, will result in another email from Zappos. (It's possible that online scammers will send fake password-reset emails pretending to be from the company, so pay attention to where the emails come from.)

Scrambled passwords — "hashes" in security parlance — are very valuable to online criminals.

Many retailers do not store actual customer passwords, and it appears Zappos was among them. Rather, they store the output, or hash, of a complicated mathematical algorithm that's triggered when a customer first registers a password, then match that to the output the next time a customer logs in.

Theoretically, each hash is nearly impossible to crack. In reality, because millions of Zappos' customers will likely be using weak or predictable passwords such as "password" or "123456," criminals can run the password lists through computer programs to pick them out.

And because people who use weak passwords also tend to use them on multiple online accounts, criminals will then be able to use those email addresses and cracked passwords to hijack millions of non-Zappos accounts, many of which will be on other online retailing sites.

If you're a Zappos customer changing his or her password today, take our advice and create a strong, unique password. Make sure it's got at least eight characters and has a mix of upper- and lower-case letters, numbers and punctuation marks. Some experts also recommend that it not be based on a dictionary word.

Would you like to subscribe to our weekly newsletters?