homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Ecommerce
Forum Library, Charter, Moderators: buckworks

Ecommerce Forum

24 Million Customers' Account Details Hacked From Zappos

 11:44 am on Jan 16, 2012 (gmt 0)

24 Million Customers' Account Details Hacked From Zappos [forbes.com]
Twenty-four million Zappos customers are getting an unpleasant Sunday-evening surprise.

The Amazon-owned e-commerce firm has revealed that it was the target of a cyber attack that gained access to its internal network, including the accounts of 24 million of its users. Though the company says that no complete credit card numbers were revealed in the breach, the intruders may have accessed customers’ names, e-mail addresses, phone numbers, addresses, the last four digits of their credit card numbers, and encrypted passwords. Zappos says it’s taken the precaution of resetting the passwords of all its customers and directing them to set a new password upon visiting the site.

Ouch! That's a lot of people.



 11:47 am on Jan 16, 2012 (gmt 0)

So now the hackers send a "you were compromised, please complete the form to reset access" email to the compromised account owners... and get them to supply the rest of the missing information.


 2:56 pm on Jan 16, 2012 (gmt 0)

I was one of those 24 million. :-(


 5:23 pm on Jan 16, 2012 (gmt 0)

This article has a little more info:

Sad to see a company founded on customer service shutting off their phone lines during the fiasco. Article says they don't have the capacity to deal with the phone calls...even after being bought by Amazon?! I'm sure they are having tough, tough times. :P


 6:39 pm on Jan 16, 2012 (gmt 0)

Any ideas on how it could have happened -- SQL Injection, XSS, RFI, ...?


 6:40 pm on Jan 16, 2012 (gmt 0)

Yea, turning off the phones is a huge misstep I think. When something like this happens, you need to find a way. Regardless of their intention, it's going to look like they're trying to be evasive.


 6:46 pm on Jan 16, 2012 (gmt 0)

The quickest way to get a message to every customer is to put it on ... wait for it ... the website. :)


 6:53 pm on Jan 16, 2012 (gmt 0)

I know people don't like the "disabling phones" idea, but frankly I see their side of it. Not only is it going to overload their system, but I guaranty some of those customer service agents are going to deal with some insanely angry customers, and it isn't fair for them to take that abuse. I am not sure anyone is safe these days from getting hacked, but its how quickly and efficiently you deal with it. I am sure my information was part of the information hacked, but I don't blame Zappos, I blame the hackers who have nothing better to do.
The best you can do as an online consumer these days is to have multiple different passwords and to change them monthly.
Just my two cents.


 8:57 pm on Jan 16, 2012 (gmt 0)

FWIW, I was notified by email; it didn't strike me that they were trying to be evasive.


 9:15 pm on Jan 16, 2012 (gmt 0)

Totally understand them shutting down their phone lines. Taking the calls of potentially thousands of customers whose simple purpose is to voice anger and vent isn't exactly a crux of great customer service. They seem to be being transparent about it all, so kudos to them.


 10:32 pm on Jan 16, 2012 (gmt 0)

Zappos is (thankfully) one of the sites I avoided buying from but I AM an affiliate, any word on if affiliate data was compromised?

Shutting down the phones is not acceptable, even if it creates multi-hour wait times.


 10:59 pm on Jan 16, 2012 (gmt 0)

I don't blame Zappos, I blame the hackers who have nothing better to do.

that's a pretty strange way of thinking.


 11:02 pm on Jan 16, 2012 (gmt 0)

Hmmm... I am both a client and an affiliate and haven't received any emails from them. I wonder if everyone got such email.

A few days ago though some other affiliates (mostly outside the US) reported that affiliate links were not redirecting properly and giving an error. I wonder if that was related...

Perhaps they need to look at the parent company, the internet Rainforest giant, to get some ideas regarding security.


 11:19 pm on Jan 16, 2012 (gmt 0)

I hope we all are making every effort to keep our sites secure... and that no matter how big we might be... with all those departments, etc., we do have a single directive and ability to maintain that security.

And if you haven't implemented that, please do so!

Making no excuses for Zappos, of course, just reminding all that "there for the grace of..." go I. Check your house. Make sure the doors can be locked when they need to be locked.


 1:51 am on Jan 17, 2012 (gmt 0)

The emails are probably going out in batches. You can't just send 24 million emails unless you are Google, Yahoo or Microsoft and are sending them to your own email users. :-)

I had a simillar issue last year. Had to send an email to 100,000+ users. We did it over the course of a week due to restrictions from our email service provider. It is very difficult to try and notify so many folks.

The worse part is yet to come for them. For the next 6 months if any of these 24 million have their identity stolen, have a mysterious charge on their credit card, can't access their email, or any other strange out of the ordinary occurrence.... They will be contacting Zappos to complain.


 2:36 am on Jan 17, 2012 (gmt 0)

Was affiliates information compromised as well? I'd call and ask but...


 4:59 am on Jan 17, 2012 (gmt 0)

Don't think they will have much affiliate info on their servers except for cookies. That confidential info is most likely kept with CJ don't you think.

man in poland

 9:09 am on Jan 17, 2012 (gmt 0)

From Europe, the zappos website is not accessible at all today. Here's the message from their front page:

"We are so sorry – we are currently not accepting international traffic. If you have any questions please email us at ....."


 2:49 pm on Jan 17, 2012 (gmt 0)

Any ideas on how it could have happened -- SQL Injection, XSS, RFI, ...?

I dont think it was either, sounds like the hacker got into their internal network at which point they probably had access to their DB. I would venture to guess this was an inside job from an employee or ex-employee


 4:23 pm on Jan 17, 2012 (gmt 0)

if you're still using the same password everywhere, this is your reminder to get something like RoboForm. if they can crack the password data, they'll begin the much simplified guessing game for all of your other logins, like your bank.


 6:15 pm on Jan 17, 2012 (gmt 0)

Speaking of Zappos... Their new password requirements are tighter. After I got my notice, my new password needed to be:

At least 8 characters long
Contains 1 upper and lowercase letter
Contains 1 number or 1 special character

(My old pw passed without a number or special char.)

Also, from the notice, and perhaps most ominous --

We also recommend that you change your password on any other web site where you use the same or a similar password.

Or a similar password...? Here's hoping that's for the masses [huffingtonpost.com...] and not because of the owned-by-Amazon connection.


 12:09 pm on Jan 22, 2012 (gmt 0)

Well at least they changed their passwords immediately on their own website... the problem is that many people are about to have their personal emails and bank accounts hacked due to them stupidly using the same password for everything.

Global Options:
 top home search open messages active posts  

Home / Forums Index / WebmasterWorld / Ecommerce
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved