Welcome to WebmasterWorld Guest from 54.226.147.190

Forum Moderators: buckworks

Message Too Old, No Replies

24 Million Customers' Account Details Hacked From Zappos

     

engine

11:44 am on Jan 16, 2012 (gmt 0)

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



24 Million Customers' Account Details Hacked From Zappos [forbes.com]
Twenty-four million Zappos customers are getting an unpleasant Sunday-evening surprise.

The Amazon-owned e-commerce firm has revealed that it was the target of a cyber attack that gained access to its internal network, including the accounts of 24 million of its users. Though the company says that no complete credit card numbers were revealed in the breach, the intruders may have accessed customers’ names, e-mail addresses, phone numbers, addresses, the last four digits of their credit card numbers, and encrypted passwords. Zappos says it’s taken the precaution of resetting the passwords of all its customers and directing them to set a new password upon visiting the site.



Ouch! That's a lot of people.

g1smd

11:47 am on Jan 16, 2012 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



So now the hackers send a "you were compromised, please complete the form to reset access" email to the compromised account owners... and get them to supply the rest of the missing information.

buckworks

2:56 pm on Jan 16, 2012 (gmt 0)

WebmasterWorld Administrator buckworks is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I was one of those 24 million. :-(

p5gal5

5:23 pm on Jan 16, 2012 (gmt 0)

5+ Year Member



This article has a little more info:
[redtape.msnbc.msn.com...]

Sad to see a company founded on customer service shutting off their phone lines during the fiasco. Article says they don't have the capacity to deal with the phone calls...even after being bought by Amazon?! I'm sure they are having tough, tough times. :P

Habtom

6:39 pm on Jan 16, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Any ideas on how it could have happened -- SQL Injection, XSS, RFI, ...?

netmeg

6:40 pm on Jan 16, 2012 (gmt 0)

WebmasterWorld Senior Member netmeg is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Yea, turning off the phones is a huge misstep I think. When something like this happens, you need to find a way. Regardless of their intention, it's going to look like they're trying to be evasive.

g1smd

6:46 pm on Jan 16, 2012 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



The quickest way to get a message to every customer is to put it on ... wait for it ... the website. :)

Strapworks

6:53 pm on Jan 16, 2012 (gmt 0)

5+ Year Member



I know people don't like the "disabling phones" idea, but frankly I see their side of it. Not only is it going to overload their system, but I guaranty some of those customer service agents are going to deal with some insanely angry customers, and it isn't fair for them to take that abuse. I am not sure anyone is safe these days from getting hacked, but its how quickly and efficiently you deal with it. I am sure my information was part of the information hacked, but I don't blame Zappos, I blame the hackers who have nothing better to do.
The best you can do as an online consumer these days is to have multiple different passwords and to change them monthly.
Just my two cents.

buckworks

8:57 pm on Jan 16, 2012 (gmt 0)

WebmasterWorld Administrator buckworks is a WebmasterWorld Top Contributor of All Time 10+ Year Member



FWIW, I was notified by email; it didn't strike me that they were trying to be evasive.

votrechien

9:15 pm on Jan 16, 2012 (gmt 0)



Totally understand them shutting down their phone lines. Taking the calls of potentially thousands of customers whose simple purpose is to voice anger and vent isn't exactly a crux of great customer service. They seem to be being transparent about it all, so kudos to them.

Sgt_Kickaxe

10:32 pm on Jan 16, 2012 (gmt 0)

WebmasterWorld Senior Member sgt_kickaxe is a WebmasterWorld Top Contributor of All Time 5+ Year Member



Zappos is (thankfully) one of the sites I avoided buying from but I AM an affiliate, any word on if affiliate data was compromised?

Shutting down the phones is not acceptable, even if it creates multi-hour wait times.

moTi

10:59 pm on Jan 16, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I don't blame Zappos, I blame the hackers who have nothing better to do.

that's a pretty strange way of thinking.

mslina2002

11:02 pm on Jan 16, 2012 (gmt 0)

10+ Year Member



Hmmm... I am both a client and an affiliate and haven't received any emails from them. I wonder if everyone got such email.

A few days ago though some other affiliates (mostly outside the US) reported that affiliate links were not redirecting properly and giving an error. I wonder if that was related...

Perhaps they need to look at the parent company, the internet Rainforest giant, to get some ideas regarding security.

tangor

11:19 pm on Jan 16, 2012 (gmt 0)

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



I hope we all are making every effort to keep our sites secure... and that no matter how big we might be... with all those departments, etc., we do have a single directive and ability to maintain that security.

And if you haven't implemented that, please do so!

Making no excuses for Zappos, of course, just reminding all that "there for the grace of..." go I. Check your house. Make sure the doors can be locked when they need to be locked.

maximillianos

1:51 am on Jan 17, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



The emails are probably going out in batches. You can't just send 24 million emails unless you are Google, Yahoo or Microsoft and are sending them to your own email users. :-)

I had a simillar issue last year. Had to send an email to 100,000+ users. We did it over the course of a week due to restrictions from our email service provider. It is very difficult to try and notify so many folks.

The worse part is yet to come for them. For the next 6 months if any of these 24 million have their identity stolen, have a mysterious charge on their credit card, can't access their email, or any other strange out of the ordinary occurrence.... They will be contacting Zappos to complain.

Sgt_Kickaxe

2:36 am on Jan 17, 2012 (gmt 0)

WebmasterWorld Senior Member sgt_kickaxe is a WebmasterWorld Top Contributor of All Time 5+ Year Member



Was affiliates information compromised as well? I'd call and ask but...

mslina2002

4:59 am on Jan 17, 2012 (gmt 0)

10+ Year Member



Don't think they will have much affiliate info on their servers except for cookies. That confidential info is most likely kept with CJ don't you think.

man in poland

9:09 am on Jan 17, 2012 (gmt 0)

5+ Year Member



From Europe, the zappos website is not accessible at all today. Here's the message from their front page:

"We are so sorry – we are currently not accepting international traffic. If you have any questions please email us at ....."

ssgumby

2:49 pm on Jan 17, 2012 (gmt 0)

5+ Year Member




Any ideas on how it could have happened -- SQL Injection, XSS, RFI, ...?


I dont think it was either, sounds like the hacker got into their internal network at which point they probably had access to their DB. I would venture to guess this was an inside job from an employee or ex-employee

RhinoFish

4:23 pm on Jan 17, 2012 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



if you're still using the same password everywhere, this is your reminder to get something like RoboForm. if they can crack the password data, they'll begin the much simplified guessing game for all of your other logins, like your bank.

Pfui

6:15 pm on Jan 17, 2012 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Speaking of Zappos... Their new password requirements are tighter. After I got my notice, my new password needed to be:

At least 8 characters long
Contains 1 upper and lowercase letter
Contains 1 number or 1 special character

(My old pw passed without a number or special char.)

Also, from the notice, and perhaps most ominous --

We also recommend that you change your password on any other web site where you use the same or a similar password.

Or a similar password...? Here's hoping that's for the masses [huffingtonpost.com...] and not because of the owned-by-Amazon connection.

rollinj

12:09 pm on Jan 22, 2012 (gmt 0)

5+ Year Member



Well at least they changed their passwords immediately on their own website... the problem is that many people are about to have their personal emails and bank accounts hacked due to them stupidly using the same password for everything.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month