So now the hackers send a "you were compromised, please complete the form to reset access" email to the compromised account owners... and get them to supply the rest of the missing information.

I was one of those 24 million. :-(

This article has a little more info:
[redtape.msnbc.msn.com...]

Sad to see a company founded on customer service shutting off their phone lines during the fiasco. Article says they don't have the capacity to deal with the phone calls...even after being bought by Amazon?! I'm sure they are having tough, tough times. :P

Any ideas on how it could have happened -- SQL Injection, XSS, RFI, ...?

Yea, turning off the phones is a huge misstep I think. When something like this happens, you need to find a way. Regardless of their intention, it's going to look like they're trying to be evasive.

The quickest way to get a message to every customer is to put it on ... wait for it ... the website. :)

I know people don't like the "disabling phones" idea, but frankly I see their side of it. Not only is it going to overload their system, but I guaranty some of those customer service agents are going to deal with some insanely angry customers, and it isn't fair for them to take that abuse. I am not sure anyone is safe these days from getting hacked, but its how quickly and efficiently you deal with it. I am sure my information was part of the information hacked, but I don't blame Zappos, I blame the hackers who have nothing better to do.
The best you can do as an online consumer these days is to have multiple different passwords and to change them monthly.
Just my two cents.

FWIW, I was notified by email; it didn't strike me that they were trying to be evasive.

Totally understand them shutting down their phone lines. Taking the calls of potentially thousands of customers whose simple purpose is to voice anger and vent isn't exactly a crux of great customer service. They seem to be being transparent about it all, so kudos to them.

Zappos is (thankfully) one of the sites I avoided buying from but I AM an affiliate, any word on if affiliate data was compromised?

Shutting down the phones is not acceptable, even if it creates multi-hour wait times.

I don't blame Zappos, I blame the hackers who have nothing better to do.

that's a pretty strange way of thinking.

Hmmm... I am both a client and an affiliate and haven't received any emails from them. I wonder if everyone got such email.

A few days ago though some other affiliates (mostly outside the US) reported that affiliate links were not redirecting properly and giving an error. I wonder if that was related...

Perhaps they need to look at the parent company, the internet Rainforest giant, to get some ideas regarding security.

I hope we all are making every effort to keep our sites secure... and that no matter how big we might be... with all those departments, etc., we do have a single directive and ability to maintain that security.

And if you haven't implemented that, please do so!

Making no excuses for Zappos, of course, just reminding all that "there for the grace of..." go I. Check your house. Make sure the doors can be locked when they need to be locked.

The emails are probably going out in batches. You can't just send 24 million emails unless you are Google, Yahoo or Microsoft and are sending them to your own email users. :-)

I had a simillar issue last year. Had to send an email to 100,000+ users. We did it over the course of a week due to restrictions from our email service provider. It is very difficult to try and notify so many folks.

The worse part is yet to come for them. For the next 6 months if any of these 24 million have their identity stolen, have a mysterious charge on their credit card, can't access their email, or any other strange out of the ordinary occurrence.... They will be contacting Zappos to complain.

Was affiliates information compromised as well? I'd call and ask but...

Don't think they will have much affiliate info on their servers except for cookies. That confidential info is most likely kept with CJ don't you think.

From Europe, the zappos website is not accessible at all today. Here's the message from their front page:

"We are so sorry – we are currently not accepting international traffic. If you have any questions please email us at ....."

Any ideas on how it could have happened -- SQL Injection, XSS, RFI, ...?

I dont think it was either, sounds like the hacker got into their internal network at which point they probably had access to their DB. I would venture to guess this was an inside job from an employee or ex-employee

if you're still using the same password everywhere, this is your reminder to get something like RoboForm. if they can crack the password data, they'll begin the much simplified guessing game for all of your other logins, like your bank.

Speaking of Zappos... Their new password requirements are tighter. After I got my notice, my new password needed to be:

At least 8 characters long
Contains 1 upper and lowercase letter
Contains 1 number or 1 special character

(My old pw passed without a number or special char.)

Also, from the notice, and perhaps most ominous --

We also recommend that you change your password on any other web site where you use the same or a similar password.

Or a similar password...? Here's hoping that's for the masses [huffingtonpost.com...] and not because of the owned-by-Amazon connection.

Well at least they changed their passwords immediately on their own website... the problem is that many people are about to have their personal emails and bank accounts hacked due to them stupidly using the same password for everything.