Zappos yesterday notified all of their employees and customers that a company server has been compromised. The email, accessible online only for visitors from the US, indicates that the attackers may have gotten hold of part or all of the customer account database of Zappos.com. Information that may have been retrieved by the attacker include customer names, email addresses, billing and shipping addresses, phone numbers, the last four digits of the credit card number and encrypted passwords.
Tony Hsie, Zappos’ CEO, notes that the credit card and payment database has not been affected or accessed by the attacker.
While not in immediate danger, customers are asked to change their account passwords at the next possible moment to protect their accounts from unauthorized access. If the attackers managed to dump the account username and password, they have likely started to decrypt the passwords with the help of dictionary lists and brute forcing. The attackers cannot use the information directly on the Zappos site though, as passwords have been reset by the company. Customers are asked to create a new password by “clicking on the “Create a New Password” link in the upper right corner of the web site and follow the steps from there”. It is alternatively possible to open the Password Change page right away on the website which leads to the create a new password page.
Zappos notes that users should change passwords on other websites if they have used the same password for accounts on those sites. If the attackers manage to decrypt the passwords, they could try to log into email accounts or other popular web services.
We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.
Resetting more than 24 million customer passwords must have not been an easy decision for the company CEO. Other hacked companies have reacted differently in the past, for instance by only emailing their customers about the breach and asking them in the email to change their account passwords. The better safe than sorry approach seems to be better suited for these kind of situations. What’s your take on the news, and do you think that Zappos made the right move?
Enjoyed the article?: Then sign-up for our free newsletter or RSS feed to kick off your day with the latest technology news and tips, or share the article with your friends and contacts on Facebook or Twitter. RockYou Hacked. Some 30 million passwords in the wild [Security]Recover Or Change Thunderbird Passwords
Hotmail Blocks Common Passwords, Adds My Friend’s Been Hacked Reporting
Hotmail Phishing Attack: Time To Change Passwords
Audit Windows Passwords With Password Security Scanner About the Author:Martin Brinkmann is a journalist from Germany who founded Ghacks Technology News Back in 2005. He is passionate about all things tech and knows the Internet and computers like the back of his hand. You can follow Martin on Facebook or Twitter.Author: Martin Brinkmann, Monday January 16, 2012 -
Tags:Hacking
You are here: Home » Security » Zappos Hacked, Security Email Asks Users To Change Passwords
Click on the following link(s) to read more about Security