Zappos turns off phones after up to 24 million customer records exposed

Filed Under: Data loss, Featured

ZapposOnline shoe and clothing retailer Zappos.com has warned its users that it has suffered a massive data breach.

Up to 24 million customers may have been impacted by the security breach, which has forced the firm to reset the passwords of its customers.

According to the company, which is owned by Amazon.com, details stolen include names, email addresses, billing/shipping addresses, phone numbers, and the last four digits of customers' credit card numbers.

In addition, password hashes were exposed.

So, you'll have to change your Zappos password if you want to shop from the store again. And, actually, it would make sense to ensure that you are not using the same password anywhere else on the net.

Disappointingly, there is no mention of the security breach on the front page of the Zappos website - one platform you would imagine they would use to inform their customers that there was a security problem of which they should be made aware.

Zappos website

Zappos says it has taken the step of temporarily turning off its phone lines, because it worries it will not be able to cope with the volume of anticipated calls. Instead, customers are being asked to contact the firm only via email.

And good luck if you have heard about the security incident, and try to read Zappos' statement about the security incident online. The corporate blog it is posted on is currently blocked to non-US customers:

Access to Zappos' blog is blocked to non-US users

Nevertheless, I managed to find the full text of a statement from Zappos CEO Tony Hsieh via a Google cache of the webpage. I've reproduced the content below in the hope that it might help some of Zappos' customers:

The following email was sent to our employees today:

Date: Sun, 15 Jan 2012
From: Tony Hsieh (CEO - Zappos.com)
To: Zappos Employees
Subject: Important - Security

Dear Zappos Employees -

Please set aside 20 minutes to carefully read this entire email.

We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with law enforcement to undergo an exhaustive investigation.

Because of the nature of the investigation, the information in this email is being sent a bit more formally, and unfortunately we are not able to provide any more details about specifics of the attack beyond what is in this email and the link at the end of this email, but we can say that THE DATABASE THAT STORES OUR CUSTOMERS' CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED.

The most important focus for us right now is the safety and security of our customers' information. Within the next hour, we will begin the process of notifying the 24+ million customer accounts in our database about the incident and help step them through the process of choosing a new password for their accounts. (We've already reset and expired their existing passwords.)

Here is the email that our customers will be receiving:

---------------------------------------------------------------------

Subject: Information on the Zappos.com site - please create a new password

First, the bad news:

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

THE BETTER NEWS:

The database that stores your critical credit card and other payment data was NOT affected or accessed.

SECURITY PRECAUTIONS:

For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password.

We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.

PLEASE CREATE A NEW PASSWORD:

We have expired and reset your password so you can create a new password.

Please create a new password by visiting Zappos.com and clicking on the "Create a New Password" link in the upper right corner of the web site and follow the steps from there.

We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at passwordchange@zappos.com

-------------------------------------------------------------------------

We have also created a web page that we will continue to update as we learn more about what questions customers have:

http://www.zappos.com/passwordchange

In order to service as many customer inquiries as possible, we will be asking all employees at our headquarters, regardless of department, to help with assisting customers. Due to the volume of inquiries we are expecting, we realized that we could serve the most customers by answering their questions by email. We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren't capable of handling so much volume. (If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place.)

We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident. I suppose the one saving grace is that the database that stores our customers' critical credit card and other payment data was not affected or accessed.

Over the next day or so, we will be training everyone on the specifics of how to best help our customers through their password change process now that their passwords have been reset and expired. We need all hands on deck to help get through this.

Thanks everyone.

-Tony Hsieh
CEO - Zappos.com

It's certainly an ugly situation - and if nothing else, the security breach underlines the damage that can be done to a company's brand by an attack.

Meanwhile, Zappos customers should be on the look-out for phishing attacks.

Although many may find the decision to turn off the telephones hard to swallow, but from the above statement it appears that the company is attempting to assist as many customers as quickly as possible - and is not adverse to calling in every member of staff, regardless of department, to assist customers who have questions.

One imagines that the decision to block access to the blog entry is to prevent it becoming overloaded with traffic - but, seriously, how hard is it to host an important message like this on another trusted site? Hey, I just did it for them above!

Zappos says that it is co-operating with the authorities in their investigation as to who might have been behind the attack.

,

You might like

11 Responses to Zappos turns off phones after up to 24 million customer records exposed

  1. Johnny B · 825 days ago

    How are we supposed to know if we re-used our password at other sites? They reset the passwords so unless you had it written down, good luck realizing what it was....

    • Mike WIlliams · 825 days ago

      LOL Don't even know where to start with that one.

    • chris · 825 days ago

      Sounds like you should invest some time setting up a service like lastpass or running keepass on your computer if you can't keep track of what passwords you use where.

    • Joe Jones · 825 days ago

      If you saved it in your browser, you can retrieve it from there.

  2. UnFocused · 825 days ago

    Well, you should know what your password is for -every- website. This is information that YOU should keep, not anybody else.

  3. Alan C · 825 days ago

    Since Zappos was purchased by Amazon, finding a place to host a message for millions of visitors to see should be a trivial matter.

  4. Debra · 825 days ago

    If it weren't for reading Naked Security, I would've never known about this breach. I am a Zappos customer but I did not receive the "customer email". Not very comforting. Thanks for the heads up, Graham. You're always one step ahead!

  5. John K · 824 days ago

    If I was a Zappos customer and received an e-mail like the one sent out, I would be wary and delete it. Anti-malware and anti-virus advise is that if you are unsure if an e-mail is legitimate, don't pass GO don't collect $200, send it immediately to DELETE and clear your deleted messages. It sounds too much like a nice phishing expedition to get passwords. I would not know, unless I was a retail marketing analyst who this "Tony Hsieh" is and even so I would have second thoughts about this e-mail.

    If it is just a matter of resetting a new password, why not have customers enter a new password the next time they sign in with a brief message that it is time to create a new password. You can even lie and say it is new corporate policy to have customers do this every xx days for security and their protection.

  6. Chris C. · 824 days ago

    I am a VIP Customer at Zappos and did not receive any notification from them. All of the news outlets keep writing that customers were notified but we weren't.

  7. Mjb · 823 days ago

    I received an email from zappos before I heard anything on the news. I was directed to a link to their site describing what I would see and where to change my password. Rather than use the link in the email, in case it was not from zappos, I typed in their URL. I could change my password as described in the email. Very pleased with how they handled the situation.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.