24 Million Zappos Accounts May Have Been Compromised

Late Sunday night, several readers wrote in to say they had received an e-mail from the shoe-selling folks at Zappos.com letting them know that their personal information, including part of their credit card number, may have been compromised by hackers.

According to MSNBC, it looks like all 24 million registered Zappos users may have been put at risk by the hack.

From the e-mail sent out to Zappos customers:

First, the bad news:

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

THE BETTER NEWS:

The database that stores your critical credit card and other payment data was NOT affected or accessed.

SECURITY PRECAUTIONS:

For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password.

We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.

PLEASE CREATE A NEW PASSWORD:

We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the “Create a New Password” link in the upper right corner of the web site and follow the steps from there.

We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at passwordchange@zappos.com.

Comments

Edit Your Comment

  1. Kaleey says:

    Nice to see a company not taking te “deny, deny, deny” route. When did this security breah occur?

  2. chiieddy says:

    First the bad news – My email address with Zappos utilizes a + in it. I never got the email and when I went to log in they told me they had sent me a new one, but displayed my address with the + replaced by a space. The new one never showed.

    Second the better news – They provided an email address where I was able to email for assistance.

    Third the best news – There’s a reset password function on the top right of the site. I was able to generate an email to reset my password from that.

    Hopefully they fix their issue with special characters in the email soon.

    P.S. The message I received when attempting to log into the account suggests nothing of a security breach. Just a ‘security upgrade’

    • kimmie says:

      Ditto here. I never got the breach email, and dspam has no record of it ever coming in. Someone had to tell me about it, and the reset password link makes no mention. Even better is at the bottom of the main page they talk about their philosophy of open communication but there’s nothing on the website about the breach.

  3. scudsone says:

    Their new password requirements are insane; requiring a password with uppercase, lowercase, numbers and special characters. Its too much. I’m never going to remember whatever I come up with, and every time I try to shop at zappos I’ll have to use the reset form and wait to be emailed my password, which will turn into a giant annoyance. Forget it, I’ll just shop somewhere else.

    • Ihaveasmartpuppy says:

      Sounds like it’s time for you to use a password program (like keepass). I don’t know what most of my passwords are, and they are all different from each other. If one place is breached I don’t have to change any other passwords.

      • HomerSimpson says:

        What happens if the password site is breached (or worse…goes out of business)

        • Ben says:

          Keepass’ records are stored locally on your computer. LastPass (which I love) stores encrypted versions of your password (that not even the company can decrypt) on their servers, but you can also store the files locally using their Portable or Pocket software. Other services usually offer offline storage as options, too.

          That way, you just make one super long, super strong password that you memorize, and you’re good-to-go. Change it every few months, and you’re even better off! LastPass even offers stronger security through things like the Google Authenticator mobile apps.

          • webweazel says:

            I love LastPass, too. The best part about it is that I can also access it from different places. For instance, I visited some relatives out of state last summer. I set up the plugin in Firefox on their computer, and had all my basic passwords right there.

            I only put on basic passwords like for Consumerist, email addresses, Yahoo Groups, Facebook, and other general sites. One thing I do NOT do for any password manager is thus: I do NOT enter any financial passwords on any of them like banks or credit cards, etc. These I memorize. As a general rule, I do not save any financial passwords (nor credit card numbers) anywhere locally on my computer nor anywhere out in the “cloud” . Only in my brain. It helps me sleep at night.

            Speaking of accessing things remotely- I use Hotmail and one of the bonuses there is their SkyDrive. I can access those files from anywhere I can access Hotmail. (I keep my recipe book on there. You just never know when you’ll be called on to whip up a pie!) I saved files onto it before I was visiting my relatives, then scooped them off when I got there for them, added some more there, and got them off when I got home. It can be a great way to access/save/transfer files you need while out and about.

          • Total Casual says:

            Put your Keypass database(s) and portable executables on a Dropbox free account.. and you have LastPass for free! It’s a true miracle of modern technology!

        • repeater says:

          KeePass stores the database on your local computer in an encrypted file. The code is also open source so even if the project dies someone else can take it over or you can build it yourself if you are so inclined.

          You are probably thinking of LastPass, which is the web-based service. I agree with you on that – I would never use something like LastPass. No matter how trustworthy or clever their systems are, it just seems like asking for trouble in exchange for the smallest amount of convenience.

          It takes only a few seconds with KeePass to type in your password to unlock the database, double click on the entry and paste it in to some login form. They also have Android/iPhone clients available if you stick with the 1.x series, which right there is crazy convenient.

          It’s waaaay less likely someone is going to steal and somehow decrypt your personal password file (even if you copy it all over the place to have several copies of it just in case) than the chances that someone will chip away at one of these online password services the moment they slip up.

    • Alessar says:

      What they’re asking for is a high-security password; it’s IT standard and for your own protection you should suck it up and do it that way EVERYWHERE.

      Using a passPHRASE instead of a password may be easier for you:
      Fl0&AlicewereonTV47years

      • Nigerian prince looking for business partner says:

        Does that really help much when the site itself is hacked and then exposes user’s passwords? Either way, personal information is compromised. I keep fairly complicated ones and every time my information has been lost to hackers, it’s because of the site and not my own password.

        My goal is to have unique passwords for each site, which are somewhat random but not insanely difficult to remember, and then a very long, complicated one for my email. So far, so good.

        For random websites that want an email address, I typically just generate one from 10 Minute Email, so it’s not linked back to me in any way.

        • Megalomania says:

          passwords were not compromised… cryptographically hashed data generated from the passwords was compromised. To extract your password, they have to, given a function, F, and output g, find x such that F(x) = g, where F was designed and chosen specifically to make that as difficult as possible. If you had a password that followed the guidelines they now publish (uppercase, lowercase, numbers, special characters, 8+ total), they’d have – to make the numbers easy – more than 600,000,000,000,000 (600 trillion) passwords to attempt. For *every person on the database. So unless your password was woefully bad, they aren’t going to bother. What they actually cared about was the personal information combined with the credit card numbers, which were NOT compromised. Forcing a password change allows them to ensure that the hackers can’t grab the low hanging fruit from the stolen database and log in with that data to get the credit card information.

          *Note that this number is not a barrier in and of itself; cracking DES with a 56 bit key was shown to possible in 1998 using publicly available technologies, and actors with ‘nation-state’ capabilities can perform that kind of brute force attack in a matter of hours if not minutes against a single password. But, unless there is a specific reason you might be targeted with that kind of attention, it’s not worth the time to bring those kinds of resources out in an attempt to steal your password.

    • Emily says:

      I agree. The new requirements are too strict.

      I read a very interesting column not long ago by a security expert who said that the increasingly onerous password requirements fail to take into account the fact that it’s human beings who have to use them. And he pointed out that the costs to a company and consumer of lost passwords, account lockouts and password recovery are far higher than the costs of hacking. Most successful hacks (including this one) have nothing to do with what the password actually is… they’re brute force attacks on mass databases.

    • TasteyCat says:

      I invoice the Army Reserve on their website. It requires a password that uses uppercase, lowercase, numbers, special characters, no sequential characters, no repeating characters, must be a minimum of 15 characters, and has to be updated regularly with deactivation within a week of failing to update.

  4. Cat says:

    Let the Zappos hate begin.

  5. Dipsomaniac says:

    The best part was I got that email and when I tried to reset my password they said they weren’t accepting international traffic and refused to let me proceed.

    • NotSara says:

      Yep. I haven’t been able to shop with them since they stopped delivering to Canada. I was not going to bother resetting my password, but now it looks like I can’t even if I wanted to.

  6. Ihaveasmartpuppy says:

    I got the same email from 6pm.com.

    • dwasifar says:

      6pm.com is nominally a part of Zappos but they don’t have the customer service focus.

      I did business with them exactly once – bought shoes for my wife during a sale. The sizing turned out to run small, and though 6pm did not have the next size available in that color, they did have them in a different color. But they would not exchange for those at the sale price, even though they acknowledged that none of the problems were my fault. I spent probably close to an hour on the phone with them and finally wound up returning the shoes at my expense.

      A completely disappointing experience, and now I wind up with my online identity compromised by them as a postscript.

  7. sidkid88 says:

    I got the same kind of email from Twitter too.

  8. rpm773 says:

    Does anyone have an account that is linked to a hotmail address? I didn’t notice the original message, nor have I seen the multiple resends. My junk folder is empty.

    It seems the “change password” link at the top of zappos.com still requires that an email be sent to the account’s linked address

    Never had problems receiving shipping confirmations in the past to my hotmail account from Zappos…hmmm.

  9. rdaex says:

    Oh cool, I have 5 new spam emails in my spam folder. Thanks Gmail for not even letting me see them.
    Weirdness: You cant just go online and reset your password, it has to send you ANOTHER email, in order to reset it.. but its been over 5 minutes and I still havent received it.

    • MMD says:

      The server’s probably slammed.

      • smartaz says:

        On 3 hours waiting for the next step to reset the password, yet their site still says it’ll be 30 minutes. Yes, I checked the spam folder.

    • Silverhawk says:

      I did the same thing after reading this article and noticing I didn’t get the first email (and it’s not in my spam folder), clicked to ‘resend email’ so I could set my new password, and I’m still waiting. Maybe they’re getting hammered.

    • tsukiotoshi says:

      It’ll show up eventually. Mine showed up maybe 30 minutes after I requested it. They are probably seeing a ton of traffic on that.

  10. Silverhawk says:

    Interesting. Never got an email…

    • atrixe says:

      Me neither.

      • Laughing says:

        I got one from 6pm but not from Zappos. When I attempted to access my Zappos account then I was told I’d have to reset my password. Strange since I’ve done a lot more business with Zappos than with 6pm.

    • Jillia says:

      I have not either, and when I went to their site and tried to sign it, it prompted me to reset my password. Unfortunately I still have not received the email to do so…

  11. marc6065 says:

    I think the big lesson here is WHO THE HELL needs an online account to buy shoes!!!!!! If you need an account to buy SHOES then somethng is wrong. Just how many pairs of shoes do you need!??!?!

    • tsukiotoshi says:

      Generally you get an account if you buy even one pair of shoes, I think. I don’t buy a lot of shoes but when I do I use Zappos….so I have an account there. Not rocket science.

    • slyabney says:

      Some of us have very hard to shop for feet that make buying shoes on line necessary. Some of us don’t live in parts of the country where it is easy to access a wide range of brands, shoe types, colors, etc. that would make it easy to buy from a physical store.

      So yeah, it is necessary to have an account to buy shoes at a reasonable price. And not everyone buys shoes to excess.

    • MMD says:

      That’s not a “lesson”. That’s an irrelevant screed.

    • midwestkel says:

      You need an account just about any website to do stuff on it, welcome to the internet…

    • smartaz says:

      They sell more than shoes.

  12. Scamazon says:

    News Flash – 6pm.com was also hacked…

  13. RoadDogg says:

    I signed up for a VIP account when they first came out for free but never actually bought anything. I don’t think I had to put in credit card information to sign up so as long as I didn’t reuse a password I guess I can just except even more spam emails.

  14. selianth says:

    I really appreciate that their original notification email did NOT say “Follow this link to reset your password” but instead directed you to “Go to zappos.com and reset your password there.” This is what the security experts always tell people to do, so I like that Zappos didn’t encourage bad habits by putting a password reset link right in the email.

  15. Evil_Otto would rather pay taxes than make someone else rich says:

    This is the way responsible companies react to a security breach. They don’t pretend that it didn’t happen because their site is “100% secure”, because there is no such thing. A security breach can happen to any site, at any time. Yes, some sites do it better than others, but the fact remains that the only 100% secure server / site is one that has the power turned off. Anything else is vulnerable to something.

    Zappos was also doing two things correctly: They didn’t store user passwords in plaintext, and they don’t store credit card information on a publicly facing server. It boggles my mind how many sites do either one of these.

  16. Scamazon says:

    Seriously, no reset email for either Zappos or 6pm.com and its been over 8 hours. FINE, how about I just CANCEL both of my accounts, I bet they would respond then. Thanks Jackasses for comprising my accounts, passwords and causing me tons of junk spam! Time to readdress all my other accounts and deal with them accordingly…

    • nicless says:

      What in the world is junk spam? Is that like the Viagra emails? I don’t think you are getting those because of a shoe store.

  17. dangermike says:

    These things are bound to happen from time to time. That’s just the nature of online commerce. However, being in the affected group, I am rather perturbed to have heard of this first from my morning news perusal on google and later in a phone call from my mother (not exactly an up-to-the minute tech news source) while I still have not received an email from Zappos. There was nothing trapped in my spam filter. When I first tried to change my password this morning, I was getting html error 500. When I tried again after lunch, their system was able to send me an email to reset my password but I still have not received the initial notification from Zappos.

    Not a huge deal, since I have generally reasonable password practices but I had the card they keep on file compromised by a similar course of event at a different online retailer and had to deal with the hassle of getting charges reversed and a new card issued fairly recently.

    Big online shops should give you the option to burn that info when they’re done with it. I really don’t mind reentering it on every purchase. It is no less convenient than having to provide the CVV2 code, and it could mean fewer false charges when some hacker inevitiably lands a score like this.

  18. Santas Little Helper says:

    Can I just ask the obvious and say why is user data not encrypted on any of these sites anymore?