Online retailer Zappos.com hit by hackers

This is the stable version, checked on 18 December 2024. Template changes await review.

Tuesday, January 17, 2012

Zappos.com, one of the largest online retailers of shoes and apparel, disclosed Sunday that it was hit by a cyber attack. The attack compromised as many as 24 million accounts. Personal data may have been taken, but credit card numbers are encrypted and thus cannot be stolen.

Zappos's corporate headquarters in Henderson, Nevada
Image: Coolcasear.

Information that may have been compromised includes customers shipping addresses, phone numbers, email addresses, account passwords and the last four digits of any credit card used. Though credit card numbers are encrypted by the Payment Card Industry Data Security Standard, other personal information is often not. This is common practice among e-commerce websites.

... there's no one fighting for the individual consumer whose e-mail address falls into the possession of hackers.

—Todd Feinman

Todd Feinman of Identity Finder told USA Today, "Visa and MasterCard fight to protect credit card numbers, but there's no one fighting for the individual consumer whose e-mail address falls into the possession of hackers."

Zappos.com required its users change their account passwords. It notified users of the required change and updated on the situation through an email. They also advised users to change their password on other websites if it is similar to the one used on Zappos.

In a blogpost, Zappos CEO Tony Hsieh said "We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident. I suppose the one saving grace is that the database that stores our customers' critical credit card and other payment data was not affected or accessed."


Sources