home

Zappos Hacked, 24 Million Account Holders Info Taken

By Jeralyn, Section Media
Posted on Mon Jan 16, 2012 at 11:54:50 AM EST
Tags: (all tags)
Share This: Digg! StumbleUpon del.icio.us reddit reddit

Zappos has been hacked -- including its database of 24 million customers.

there may have been illegal and unauthorized access to some of your customer account information...including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password)."

So the good news is Zappos kept credit card information on a separate server that wasn't hacked. The bad news is if you've ordered from Zappos, hackers now have your name and address, order information, email address and the password you used for Zappos. [More...]

Zappos has changed all email addresses, but with so many customers, getting access to your new password is delayed. They say 30 minutes, it's much longer than that. I'm still waiting. If you need to reset your password, start here.

Here's Zappo's e-mail to its employees about the situation. They've shut down their phone service because it would be overwhelmed. They are being good about sending human generated email responses.

Here's one I just received:

Thank you for contacting the Zappos.com Customer Loyalty Team.

I am terribly sorry for the delay in your receiving confirmation of your email reset password. Due to the current high volume of requests for password resets, there have been noticeable delays by the email notification. This means that your request has been processed as you requested, but it may take time before it arrives at the requested email address.

If you run into a further issues involving your account, please feel free to contact via a response to this email or send your reply to xxxxxxx@xxxxx.com.

< Martin Luther King, Jr. Day and Open Thread | Monday Night Open Thread >

  • The Online Magazine with Liberal coverage of crime-related political and injustice news

  • Contribute To TalkLeft


    • Display: Sort:
    Zappos Hacked, 24 Million Account Holders Info Taken | 14 comments (14 topical)

    Readers Must Login or Create an Account to Comment

    Oh, No! (5.00 / 3) (#3)
    by Peter G on Mon Jan 16, 2012 at 02:37:38 PM EST
    The hackers will know my sneaker size and color preferences.

    if you used the same password (5.00 / 0) (#5)
    by Jeralyn on Mon Jan 16, 2012 at 04:37:02 PM EST
    for other sites you should change those passwords now.

    Parent
    I agree, Jeralyn (none / 0) (#6)
    by Zorba on Mon Jan 16, 2012 at 04:44:16 PM EST
    We wound up with some kind of virus on our computer that we could not get rid of.  We had to wind up wiping everything and starting over.  And even after that, I changed all of our passwords, on every single site.  What a pain in the @ss that was!  (We have never used the same password on different sites, so we had a whole boatload of passwords to change.)

    Parent
    I don't understand (none / 0) (#7)
    by Peter G on Mon Jan 16, 2012 at 05:20:36 PM EST
    why a hack of "your cryptographically scrambled password (but not your actual password)" (as my message from Zappos says) would compromise that or any other password.  Can anyone explain?

    Parent
    about those hashes (none / 0) (#10)
    by rwelty on Mon Jan 16, 2012 at 08:40:35 PM EST
    the hackers got copies of the hashed passwords. crypto hashes produce test strings of 32 or 64 characters (or more) that don't resemble in any way the original password, but feeding the password through the hash algorithm will always produce the same hash.
    the trick is try and back out a usable password from the hash. it doesn't have to be the same password, just one that meets the password rules for the site. older hashes like md5 and sha1 have been deprecated for a little while now. the issue is what zappo's is using. if it's a sha 256, then no worries, just change your password in the near future and move on. if it's md5, then sooner is better.

    Parent
    Problem is, I have no idea what my password was!! (5.00 / 3) (#8)
    by honora on Mon Jan 16, 2012 at 07:19:11 PM EST
    Once I save my passwords on firefox, I don't remember which of the 6 passwords I used.  Can't wait until my computer will read my fingerprint and let me into my accounts.  I am sure that I should not be dreaming of that day.  I guess I figure my 'privacy' is not very protected under today's system.

    If I had known... (5.00 / 1) (#12)
    by kdog on Tue Jan 17, 2012 at 08:18:46 AM EST
    there was so much hash involved in computer geekery, I woulda paid more attention in computer lab;)

    History Channel... (none / 0) (#13)
    by ScottW714 on Tue Jan 17, 2012 at 08:59:53 AM EST
    ...has expanded their Drugs series and has one about hash.  Extremely interesting, they follow the hash farmers in Morocco from plant to market with an ex-hash runner as their guide.

    Parent
    I didn't know dryers were involved in hash (none / 0) (#14)
    by Militarytracy on Tue Jan 17, 2012 at 09:14:37 AM EST
    production until watching weeds.  How does that happen, they don't give details?

    Parent
    Modern Day Life (none / 0) (#1)
    by ScottW714 on Mon Jan 16, 2012 at 01:18:39 PM EST
    I would like to find a person who's information hasn't been compromised.  For me that includes the Veterans Department which has far more personal data then a commercial site.

    It sucks, but there isn't much one can do, there is a lot of data out there that unlike Zappos, I have absolutely no control over.  Something like an Insurance/Health Care Provider website would be IMO far more devastating then a commercial website.

    The 15 Most Massive Data Breaches in History

    password panic may not be indicated (none / 0) (#2)
    by rwelty on Mon Jan 16, 2012 at 02:01:00 PM EST
    per the text of the zappo message, the passwords were stored as an encrypted hash. depending on what hash they were using, they may not be especially vulnerable. that's the reason why responsible services don't store passwords in plaintext.
    there are programs (5.00 / 0) (#4)
    by Jeralyn on Mon Jan 16, 2012 at 04:36:17 PM EST
    readily available on the internet that unmask hashed passwords, especially ones that are md5 hashes. The SHA-2 hashes are harder. Do you know which Zappo used?

    Parent
    password hashes (none / 0) (#9)
    by rwelty on Mon Jan 16, 2012 at 08:34:34 PM EST
    i don't know what they used. md5 has been deprecated for some time, sha1 for a little bit now. new deployments should be using sha-256 or sha-512, older systems should have migration strategies in place to migrate gradually as users change passwords. whether zappo's did any of this is unclear.
    also, you aren't so much unmasking a hashed password as coming up with some password that maps to the same hash (that is, there can be multiple text strings that result in the same hash.)


    Parent
    You can do business with Zappos (none / 0) (#11)
    by jimakaPPJ on Mon Jan 16, 2012 at 11:16:18 PM EST
    and any other merchant on the net without setting up an account an giving them a password.

    You do have to give them physical address, cc# and email address. Hopefully they don't store the cc#.

    Zappos Hacked, 24 Million Account Holders Info Taken | 14 comments (14 topical)

    Readers Must Login or Create an Account to Comment