DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Zappos hacked; notifying 24+ million Zappos.com and 6pm.com customers of breach and to reset passwords

Posted on January 15, 2012 by Dissent

Online retailer Zappos has been hacked.  Its CEO, Tony Hsieh, posted a copy of an email notification explaining the breach to all employees with a copy of the email notification sent to customers:

The following email was sent to our employees today:

Subject: Important – Security
Dear Zappos Employees –
Please set aside 20 minutes to carefully read this entire email.
We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with the FBI to undergo an exhaustive investigation.
Because of the nature of the investigation, the information in this email is being sent a bit more formally, and unfortunately we are not able to provide any more details about specifics of the attack beyond what is in this email and the link at the end of this email, but we can say that THE SECURE DATABASE THAT STORES OUR CUSTOMERS’ CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED.
The most important focus for us is the safety and security of our customers’ information. Within the next hour, to ensure a greater level of security, we will begin the process of notifying the 24+ million customer accounts in our database about the incident and help step them through the process of choosing a new password for their accounts.
(We’ve already reset and expired their existing passwords.)
Here is the email that our customers will be receiving:
————————————————————————-
Subject: Information on the Zappos.com site – please create a new password
First, the bad news:
We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).
THE BETTER NEWS:
The secure database that stores your critical credit card and other payment data was NOT affected or accessed.
SECURITY PRECAUTIONS:
For your protection and to prevent unauthorized access, we have expired and reset your password. Please see the link at the end of this message to create a new password.
As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information. We also recommend that you change your password on any other web site where you use the same or a similar password.
PLEASE CREATE A NEW PASSWORD:
We have expired and reset your password. Please create a new password by clicking on the link below:
 http:// [we will provide a secure, unique link for each customer]
We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at [email protected]
————————————————————————-
We have also created a web page that we will continue to update as we learn more about what questions customers have:
 http://www.zappos.com/passwordchange
In order to service as many customer inquiries as possible, we will be asking all employees at our headquarters, regardless of department, to help with assisting customers.
Due to the volume of inquiries we are expecting, we realized that we could serve the most customers by answering their questions by email. We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren’t capable of handling so much volume. (If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place.)
We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident. I supposed the one saving grace is that the secure database that stores our customers’ critical credit card and other payment data was not affected or accessed.
Over the next day or so, we will be training everyone on the specifics of how to best help our customers through their password change process now that their passwords have been reset and expired. We need all hands on deck to help get through this.
Thanks everyone.

Tony Hsieh

CEO – Zappos.com

 

What I can’t figure out from the above is whether they are indirectly saying that they stored full credit card numbers on another server.  I hope they clarify this in future statements.

The same notification was sent to 6pm.com employees.

Related posts:

  • Zappos data breach settlement falls apart over attorneys’ fees
  • Operation Anti Security Breakdown and targets, the full time line
  • How Zappos’ User Agreement Failed In Court and Left Zappos Legally Naked
  • Ninth Circuit Revives Data Breach Claims Against Zappos
Category: Breach IncidentsBusiness SectorHackOf NoteU.S.

Post navigation

← Chinese hackers Going After Smart Card Details
Dump of Arabic Faceboook Accounts →

4 thoughts on “Zappos hacked; notifying 24+ million Zappos.com and 6pm.com customers of breach and to reset passwords”

  1. Jennifer says:
    January 16, 2012 at 2:43 am

    Exact Target email service provider hack.

    1. admin says:
      January 16, 2012 at 4:23 pm

      Huh? Where are you getting that from?

  2. Ken says:
    January 16, 2012 at 3:10 pm

    The good news is at least customer credit card information was not compromised…

  3. Jay Gould says:
    January 27, 2012 at 6:38 pm

    The Zappos hackers seem to have accessed some of the information stored in retailer’s customer profiles. We don’t know whether or not the criminals have been able to actually access the customers’ accounts, as we don’t know if they could have retrieved the passwords. Yet, even if they did, that wouldn’t have done them much good. What could have happened? Let’s say that they attempted to place an order. Well, even if it did go through, which is unlikely, it would’ve been disputed by the cardholder who would have been reimbursed for any possible losses. Aside from that, any card data that may have been stored in a hacked profile would have been perfectly unusable, because it only shows the last 4 digits of the account number.

    The bottom line is that, as the data breach was immediately discovered and the customer passwords reset, the hackers would have been left with such information that they could have found on Yellow Pages, with much less trouble and for free. For a more detailed analysis: http://blog.unibulmerchantservices.com/the-zappos-data-breach-10-days-on-the-lessons-continue.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.