Internode Blog

Zappos.com User Details Exposed

Monday, January 30th, 2012 by

Recently the very popular Zappos.com site (owned by Amazon) experienced a major breach of their systems resulting in 24 million user details and related data being compromised.

Zappos have advised that customer’s name, email address, billing and shipping address, the last four digits of their credit card number and a “cryptographically scrambled” copy of the customer website password has been stolen.
Zappos have expired all passwords and had temporarily blocked non-US traffic customers whilst internal investigations were performed.

If you have used the Zappos.com site in the past, please ensure you change your password immediately wherever the same credentials have been used on other sites or services.

It is strongly recommended that you do not use the same password for different sites.
A similar compromise last year (Sony) revealed that attackers used compromised passwords found on one site, to access other sites used by the compromised user.
Please be aware that the people who perpetrated this breach may hold onto the data for a year or so before using or selling it.

At this stage Zappos.com have said that no full Credit Card details have been exposed, but if anyone is worried, you should call your bank to discuss what options are available (each bank is different in this regard). This may include cancelling the compromised card and requesting a replacement.

If it is found that the Credit Cards have been compromised in the future, quick action is especially important if a VISA/MasterCard Debit Card has been used, as funds are taken directly out of the card holders savings account, leaving it up to the card holder to dispute the transaction with the bank (immediate customer risk). Whereas with a Credit Card, the card holder is not directly out of pocket at the time of a fraudulent transaction and may dispute the transaction within the credit payment time period provided by the card holders bank (the bank holds the risk).
Please keep an eye on your credit card charges and alert your bank if you become aware of any suspicious charges.

Further details of the Zappos.com incident can be found at within the following links…
1/ http://news.blogs.cnn.com/2012/01/16/zappos-com-hacked-24-million-customers-affected/
2/ http://www.informationweek.com/news/security/attacks/232400441
3/ http://blogs.zappos.com/securityemail

Additionally, the extent of the compromised user details may be used by the attacker to satisfy many of the typical security checklists used by organisations to validate an individuals identity. As a result, the details may contribute to identity fraud in the future i.e. names, addresses, email address, birthdates, usernames, passwords, logins, security questions and more.

———- This is copy of the email that has been sent to all Zappos.com customers ———

From: “Zappos.com” <zappos@zappos.com>
Date: 19 January 2012 7:23:56 AM ACDT
Subject: Information on the Zappos.com site – please create a new password
Reply-To: passwordchange@zappos.com

First, the bad news:
We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

THE BETTER NEWS:
The database that stores your critical credit card and other payment data was NOT affected or accessed.

SECURITY PRECAUTIONS:
For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password.
We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.

PLEASE CREATE A NEW PASSWORD:
We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the “Create a New Password” link in the upper right corner of the web site and follow the steps from there.
We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at passwordchange@zappos.com.

————————————————————————————————————————-

Thanks
Derek

Post tags: