Zappos CEO Says 24M Customer Accounts Have Been Hacked

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
A message today on the Zappos.com official blog is warning its 24+ million customers that the company has been hacked and that names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of your credit card number have been accessed by hackers.

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer accountinformation on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).
 
Hackers have all they need to give those 24 mill customers new credit cards they'll never know.

I would say more about these things and why they happen. But I cannot.
 
My father was affected by this; there was a $2400 order placed on his card and he has to get a new one now.
 
be curious if the details every come out and how the Payment Card Industry levies a fine.
 
Luckily the card I had the last time I used them has long been discontinued.

I gave them the 'boot'. hehe
 
Good thing I didn't place an order of IZOD jeans through them...I used Amazon instead.
 
Zappos owns 6pm.com as well and i got an email from them

6pm.com

First, the bad news:

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on 6pm.com, including
one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the
standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

THE BETTER NEWS:

The database that stores your critical credit card and other payment data was NOT affected or accessed.

SECURITY PRECAUTIONS:

For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the
instructions below to create a new password.

We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that 6pm.com
will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal
information or direct you to a web site where you are asked to provide personal information.

PLEASE CREATE A NEW PASSWORD:

We have expired and reset your password so you can create a new password. Please create a new password by visiting 6pm.com and clicking on the "Create a New
Password" link in the upper right corner of the web site and follow the steps from there.

We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at
[email protected].

This email was sent to [email protected].

(C) 2007 - 2012 Zappos.com, Inc. or its affiliates
2280 Corporate Circle, Henderson, Nevada 89074

6pm.com is operated by Zappos Development, Inc.
 
I used Zappos a couple times but never signed up for an account and used Paypal instead which automatically takes it out of my bank account. I was going to sign up for an account at one time but wasn't sure how good a company they were. Now I'm glad I did it this way.
 
Finally got the link to reset my password and discovered that the CC they had on file was a debit card to a closed checking account. Nice. Come at me bros.
 
When will these companies have legal action taken against them to prevent this from happening again?
 
How would that prevent this from happening? If hackers want into a system, they will get in.

This could all be fixed with a simple law.

All online transactions require a confirmation code that is genreated from the seller and sent to the buyer at a speciifc phone number (either land or cell) by either audible or text messsage. An email message may be used but may subject the purchase to up to a 5 day delay for fraud avoidance.

This is no different than in Europe with credit cards..they all have effig' pins for the most part.
 
Could be coincidence, but I had some fraudulent charges to my credit card at the end of last week. Had to have a new card issued. I am sure I used that card at zappos.
 
When will these companies have legal action taken against them to prevent this from happening again?

When will 7-11 have legal action taken against them to prevent armed robbers from holding them up and gun point? Seriously. LOL.

Looks like zappos didn't store actuall paswords, just the hash (the way they're supposed to do it) and when the hack was detected they did a reset of all account passwords just to be safe.

It's unclear to me what more they could have done. What will the hackers do with the info? I suppose it's fodder for some social engineering trolls. But no actual PW or CC data. Not sure how they could purchase anything.
 
I just hope when my personal information gets hacked from the online websites, that it isn't because of negligence on the operators' part for not applying the proper updates and patches.

While frustrating, I can kinda understand and forgive if they were the victim of a dedicated hacker. But if it was something that could have been prevented or deterred, that's not so forgivable.
 
Hackers have all they need to give those 24 mill customers new credit cards they'll never know.

I would say more about these things and why they happen. But I cannot.

This. I ain't worried about people using my existing lines of credit because all transactions appear on my phone in near real time, and I usually request a new card about four times a year, just to burn the trail. However, thieves can open lines of credit in your name and you will never know until it's too late. Best thing I can think of to combat that is to freeze your credit.

http://www.consumersunion.org/campaigns//learn_more/003484indiv.html
 
Fuck, every week I get some notification in the mail that another one of my accounts has been compromised

getting fucking sick of this shit
 
When will 7-11 have legal action taken against them to prevent armed robbers from holding them up and gun point? Seriously. LOL.

Horrible comparison. One affects 24million customers, the other only affects a single store, with limited cash on hand. One affects customers data the other does not. Businesses should have a legal obligation to keep customer data safe, otherwise what's the point of encryption or hashing on the part of the business? Seems like an awful lot of wasted resources to protect something they aren't responsible for.

Looks like zappos didn't store actuall paswords, just the hash (the way they're supposed to do it) and when the hack was detected they did a reset of all account passwords just to be safe.

Safe about what? I don't understand this logic, either the security method is trusted and robust or its not. This lets reset and reboot everything tactic is one that shows inexperience or lack of trust in the method. Which in turn tells me that they don't trust their process and in fact users accounts have been more compromised than they're leading on.

I quote "We also recommend that you change your password on any other web site where you use the same or a similar password." Why would a customer do this if the passwords from Zappos were not compromised?

Why companies choose to only encrypt a password, which is useless anyway once they have all the other data from a customer is beyond me.

It's unclear to me what more they could have done. What will the hackers do with the info? I suppose it's fodder for some social engineering trolls. But no actual PW or CC data. Not sure how they could purchase anything.

You don't know that, unless you're working for Zappos' team. No press release tells the whole story.
 
Hackers steal credit card information from Zappo's then uses it to buy stuff from the same website? Kinda funny. Maybe it's an inside job?

Not necessarily. Some people are ... dumb, even hackers.

My roommate had her Amazon account hacked and yes, the thieves bought stuff from Amazon. Yes they were caught, but she went through months of agony and paperwork getting her account straightened out.

So,, we have a very large company, Zappos and another company run by them that got hacked. Said hackers have names, addresses, phone numbers, email, last 4 digits of CC. At least that's what people are being told. What if and it may be a big if, Zappos also has any other info, like the 3 digit security code on the CC stored.

Changing your password is a step and no, you should never use the same pw for everything (though I know people who do, and it drives me insane). But they still got a good amount of information and who knows just how much damage can be done with this info.

What happens when Zappos customers start getting calls from collection agencies over non-payment for purchases they never made with cards they never had.
 
I just hope when my personal information gets hacked from the online websites, that it isn't because of negligence on the operators' part for not applying the proper updates and patches.

While frustrating, I can kinda understand and forgive if they were the victim of a dedicated hacker. But if it was something that could have been prevented or deterred, that's not so forgivable.

Unfortunately, until companies cop to the details of a breach (which you don't hold your breath for unless someone is actually arrested and a trial outs the details), there's usually no way to know what level of negligence was taken.

I can say with a high degree of certainty that this wasn't a case of missing patches or something. Almost certainly this was a SQL Injection issue on the website (or a website connected to the backend databases). This could indicate negligence in the web app, securing/assessing the web app, and possibly in the SQL server configuration behind it. Plus any architecture weaknesses or risks incurred in backend decisions (not encrypting something, keeping all the databases in the same server, etc).

You're right, though, there's not much blame you can give when the victim of a dedicated, skilled hacker, but there are many, many opportunistic attacks out there, too.
 
OkToBeR[hocp];1038271950 said:
Safe about what? I don't understand this logic, either the security method is trusted and robust or its not. This lets reset and reboot everything tactic is one that shows inexperience or lack of trust in the method. Which in turn tells me that they don't trust their process and in fact users accounts have been more compromised than they're leading on.

I quote "We also recommend that you change your password on any other web site where you use the same or a similar password." Why would a customer do this if the passwords from Zappos were not compromised?

In cryptography, there are plenty of methods that are not perfect, but still acceptable because of the time tradeoff when cracking the crypto. They passwords likely were lost, and while they're encrypted/hashed, there is plenty of time and CPU power available to start banging away at cracking/matching those passwords. It should *always* be a best practice to advocate changing of passwords on any compromise that may touch those accounts. Both users and internal.

If we had a perfect solution, it'd be used universally.


OkToBeR[hocp];1038271950 said:
Why companies choose to only encrypt a password, which is useless anyway once they have all the other data from a customer is beyond me.

This isn't necessarily a choice. It's easy to encrypt (hash) passwords because you don't ever have to actually echo them back out to the web app. You don't gain much by encrypting someone's address information that is displayed back to users when they proof-read orders. That indicates the web app has the keys to pull back and decrypt data from the database, so if an attacker comes in through the web app, there's nothing else they need to do.

Good question, though, mate. :)


Someone asked how info like this can be used. For instance, perhaps I can target you on another site by trying to social engineer some information out of you, like your security questions, or something. By your email address on Zappos, perhaps I can find your Facebook/Twitter/IM accounts, but not attack you directly, and instead work on your friends. Maybe send them spoofed emails apparently from your account asking for money, because you're stuck overseas...

Security questions are a big deal, too, and overall an awful, awful idea as a companion to passwords...
 
Shoes are the one thing I rarely order online. 2 year olds in Malaysia rarely know how a 12E should fit.
 
Luckily I had an expired credit card with them, but I already sent a nicely worded email informing them that it will be a cold day in hell before I ever purchase anything from them again.
 
Well some banks have virtual CC numbers you can generate and set a limit of, as well as expiration date.
 
Hackers steal credit card information from Zappo's then uses it to buy stuff from the same website? Kinda funny. Maybe it's an inside job?

I had that situation last week. I ordered flowers for someone. The next morning, I got an email stating the flowers were delivered. Then 20 minutes later, I got an email stating my billing information needed to be updated. The website address had 1 extra letter in it. I just copied the address to check it out, I put in a false account name and pw, it went through and asked for all of my billing info.

Inside job as the website was just registered 1 week earlier.
 
I can say with a high degree of certainty that this wasn't a case of missing patches or something. Almost certainly this was a SQL Injection issue on the website (or a website connected to the backend databases). This could indicate negligence in the web app, securing/assessing the web app, and possibly in the SQL server configuration behind it. Plus any architecture weaknesses or risks incurred in backend decisions (not encrypting something, keeping all the databases in the same server, etc)

Or they could have just handed a backup/copy of their database to a third party (developer/auditor/data miner) who kept it insecurely. On more than one occasion when I worked as a web developer I got handed full copies of (slightly outdated) customer DBs from fortune 500 companies when I asked for "sample data". One such copy even had unencrypted passwords. It's scary how little thought some very well known companies put into data security.
 
Back
Top