if so, you may have a problem headed your way


http://news.blogs.cnn.com/2012/01/16/zappos-com-hacked-24-million-customers-affected/?hpt=hp_t3

January 16th, 2012
07:45 AM ET


Online retailer Zappos.com is asking its 24 million customers to reset their passwords after a cyberattack, according to a posting on the company's website.

"We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky," says the posting, which was sent out as an e-mail from company CEO Tony Hsieh to Zappos employees on Sunday.

The company said it had expired and reset customers' passwords and would be sending an e-mail with further instructions to all its customers. It also posted password reset instructions on its website.

Zappos said that hackers gained access to customers' names, e-mail addresses, billing and shipping addresses, phone numbers, and the last four digits of credit card numbers and encrypted passwords.

Full credit card numbers and other payment info were stored on a separate server which was not hacked, the company said.

Because it expects a deluge of phone calls related to the hacking, Zappos said it was temporarily turning off its phones and would answer all inquiries by e-mail.

"If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place," the company's e-mail to employees said.

"We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident," Hsieh's e-mail said..

The e-mail also went out to customers of Zappos discount website, 6pm. com.

While large, the hacking attack was not the largest of the past year. In April, Sony's PlayStation Network, with 70 million customers, was hacked, with an "unauthorized person" obtaining users' names, home addresses, e-mail addresses, birth dates and passwords, according to Sony.

 

-----signature-----

Was just looking at stuff there the other day. Have never purchased anything though.

 

-----signature-----

good thing you didnt buy anything at the time

 

-----signature-----

Separate password for every site.

DOOO ITTTTTTTT

 

-----signature-----

but it is everso much easier to type aaaaaaaaaaa123

 

-----signature-----

First, the bad news:

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

THE BETTER NEWS:

The database that stores your critical credit card and other payment data was NOT affected or accessed.

SECURITY PRECAUTIONS:

For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password.

We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.

PLEASE CREATE A NEW PASSWORD:

We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the "Create a New Password" link in the upper right corner of the web site and follow the steps from there.

We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at passwordchange@zappos.com.

 

-----signature-----

HOW U KNOW MY PASSWORD?!??!?!

 

-----signature-----

There is no such thing as 100% secure online, unless you're...well, not online. It sounds like they're doing the right thing. They stored actual credit card information separately (good!) and let their customers know immediately what was affected, and the steps they are taking to mitigate the issue. It's also good that they're forcing a password change. That way no one can come back later and complain that "someone hacked my account!" when they just were too lazy to bother to change their password that hackers now have.

Overall I think they're doing what they should as far as handling the situation. Customers don't necessarily get riled if you make a mistake (unless it was an obvious and totally avoidable one) but they do care how you take care of said mistake.

Not knowing the overall security measures of zappos, I can't really comment on whether they did something they shouldn't have, or didn't do something that they should have, which allowed hackers to obtain this info. No way to know.

 

-----signature-----

Bummer. They seem like a pretty decent company to work for from what I heard. Really care about their employees and customers so I hate to see them get hurt. Have been tempted to see if they have any job openings a few times now but they were clear on the other side of town.

Hope this doesn't damage them too much.

 

-----signature-----

i was peeking over your shoulder! ;P

 

-----signature-----