Zappos Online Shoe Store Hit By Hackers
Email
Zappos.com, attacked by hackers, has reset the passwords of 24 million customers.
There are a few jokes going around the web already — they’re nipping at our heels, they’ve caught them flat-footed, etc. — but this really isn’t funny. It appears that hackers who attacked Zappos, the giant online shoe store, may have gotten their hands on customers’ names, email and billing addresses, phone numbers and the last four digits of their credit cards.
Zappos.com claims it’s not a crisis for customers because the hackers didn’t get full credit card numbers or passwords. But it’s a reminder of how busy the hacking business is, and what a pain it can be for companies and their customers.
Zappos CEO Tony Hsieh put out a message Sunday night saying the company is getting in touch with all 24 million customers who have accounts. It’s already deleted their current passwords and is sending instructions on how to create new ones. (If you’re a Zappos user, the place to go for password changes is here.)
“We’ve spent over 12 years building our reputation, brand, and trust with our customers,” Hsieh wrote in a message to employees. “It’s painful to see us take so many steps back due to a single incident. I suppose the one saving grace is that the database that stores our customers’ critical credit card and other payment data was not affected or accessed.”
Beyond that, the company declined comment. It would not say whether 24 million customers’ files had been breached, only that it’s reset 24 million passwords.
Zappos has often been cited as a customer-relations success story. By offering free shipping both of purchases and returns, it made it a very low-risk proposition for people to buy things online. Other e-commerce retailers have copied its model. It’s now having to practice crisis management.
Hsieh’s message included some standard advice: “We also recommend that you change your password on any other web site where you use the same or a similar password.” Smart hackers may not be defeated by a mere password, but why make it easier for them?
In the border next to Heieh’s post was a box: “Shop with Confidence. Shopping on Zappos.com is safe and secure. Guaranteed! You’ll pay nothing if unauthorized charges are made to your credit card as a result of shopping at Zappos.com.”
Mt. Everest Deaths: More Climbers at Risk? 
TechBytes: Facebook, No Keyboard? 
RSS
Twitter
Facebook
I’m a Zappos customer and I’ve heard NOTHING from the company directly. Their website now has a prominent link to Change Password Now, but they never mention the breach. Does this mean that only some customers were affected, or is Zappos just dragging their feet informing people? Also, their server must be slammed with password reset requests – I’ve been waiting over 2 hours for the promised email with the reset instructions.
Posted by: Lauren | January 16, 2012, 1:21 pm 1:21 pm
We are a customer of 6PM and Zappos, and got the email late last night. In this day and age of phishing we actually thought it was a joke. Crisis communications needs to teach companies to be clear and direct about the issue at hand. This email (same for both sites) was long-winded and sing-songy and did not get to the point quickly. Say we were hacked, this is the damage done that we know (credit card numbers stolen or not) and here are the three things to do now. It did say all of this, but if you print out the emails, it was about a page and a half long – in 7 point type – just like the terms and conditions agreements.
Posted by: Bill | January 16, 2012, 1:38 pm 1:38 pm
Lauren, I got an email from Zappos saying that I was affected before I saw this article. It was sent at 8:15 AM eastern time. Perhaps your account was not impacted. Either way, just change your password to be safe.
Posted by: Pam | January 16, 2012, 1:45 pm 1:45 pm
I’m mostly a customer of 6pm.com, but was a long time customer of Zappos before 6pm ramped up. I did not get notification from either site, despite recent 6pm.com purchases. I was able to successfully change my 6pm.com password, but it went into an infinite loop until someone showed up at their site after 9am EST. As for Zappos, I changed broadband providers and had to change my email address and never updated my account info there. Now I can’t receive the password change response from them. I have tried to call them repeatedly, but their 24/7/365 phone line is not available today. I realize they would be swamped, but hey–they are responsible for this mess, they need to be there to deal with the aftermath. I sent email asking how to change the password given that my account has a different email on it now, but the best I got was an auto-reply saying it could be three days before they respond. I’ve spent much of my day chasing down other sites where I’ve ordered stuff in the last couple years to change my password and to check for stored credit card info. Many sites store this information and you can’t remove it because it’s not shown in the user account area. Lands End responded to my inquiry about it and they reset my account to purge that info–it’s a good idea to do this, especially if there are fairly recent transactions. You can’t change the transaction history where the credit card account number may be linked to the transaction in a different database, but you can be careful about whether a merchant stores your credit information along with your billing/address info. They don’t need to do that and it’s wise not to let them just for what happened now with Zappos. I’m furious that Zappos isn’t more immediately helpful.
Posted by: Kayo | January 16, 2012, 3:09 pm 3:09 pm
I got their email just a few minutes before finding this article. I was glad that they didn’t treat me like a total idiot, and actually included the details that my credit card information was in a different database that was not accessed. Knowing that makes a difference.
Posted by: Beth | January 16, 2012, 3:23 pm 3:23 pm
Zappos email is misleading. There most definitely is a risk of credit card fraud here, and they should be warning customers to check their credit card statements for it.
Right before Christmas, we spotted a fraudulent $1200 Zappos charge pending on the credit card account that was on file with my Zappos account. We noticed it because we check our credit card statement online frequently. The crooks had ordered merchandise to be shipped to a different address in another state.
I expect quite a few of Zappos customers will notice fraudulent charges when they check their January statements, but not everyone checks their monthly statements as they should. Zappos ought to have warned their customers about this.
Posted by: Lori | January 16, 2012, 3:59 pm 3:59 pm
I received an email from 6pm last night and quickly went to the 6pm website (not via the email) to see if it was a hoax. When I found out it wasn’t I changed my password. I did not receive anything from Zappos and found out they, also had been hacked into this morning on the news. I was disappointed that I did not hear from Zappos & had to hear it on the news. I did change my password with Zappos today. It reminder to all of us, to regularly change our passwords and not use the same one for every site. It is a new year & I will clean up & change many of my passwords.
Posted by: lisa | January 16, 2012, 4:16 pm 4:16 pm
So how long is it going to take before consumers demand state or federal laws requiring websites to maintain their customers information in up an to date encrypted format? There’s very little incentive for online businesses to aggressively protect such information now. If they’re hacked the reaction is a big OOPS! How ’bout putting some teeth behind it? Make it hurt to be stupid or lazy with customers information!
Posted by: Paul | January 16, 2012, 11:03 pm 11:03 pm