Amazon’s Zappos.com Breached

A notification mail is circulating stating that “Zappos. com” has been hacked.  The online shoe and apparel outlet has apologised over a massive data breach that exposed the personal details of up to 24 million people.

The breach exposed names, email addresses, addresses, phone numbers, password hashes and the last four digits of customer’s social security numbers and/or credit cards (There are differeing reports on this, assume the worst).  Zappos insists that credit card data was not compromised.

The Zappos webiste currently returns the message:  We are so sorry – we are currently not accepting international traffic. If you have any questions please email us at help@zappos.com.  Zappos is blocking international traffic to its blog, so customers outside the US are unable to see CEO Tony Hsieh’s explanation on how the breach happened, which was posted late on Sunday night.

The explanation said that hackers “gained access to parts of our internal network and systems” through a server in Kentucky.  Zappos has reset passwords and is in the process of notifying customers about the breach.

Zappos has suspended its telephone support operation, asking customers to contact it only via email.

Customers who may have used the same account login and password at other sites would be well advised to change those passwords ASAP.  This breach can be expected to result in phishing attacks and spam camapigns targeting these users.

Advertisements

2 thoughts on “Amazon’s Zappos.com Breached

  1. Zappos email to their customers is misleading. If you kept a credit card number on file with your Zappos account, as I did, you need to check your credit card statement for fraudulent charges.

    We spotted a $1200 fraudulent Zappos charge pending on our credit card account right before Christmas. We noticed it right away because we check our bill online frequently. The crooks had ordered merchandise to be delivered to an address in a different state.

    Zappos should be warning their customers to check their credit card statements, not implying that there is no risk of credit card fraud from this breach.

    • Good advice, and I am pleased that you detected the charges before clown-boots made off with your cash. It would also be wise of Zappos to treat their international clients with the same care and diligence as they do their domestic US customers. Making the website unavailable to non-US addresses was a pretty sketchy containment mechanism, if that was indeed what it was. It isn’t that hard for an attacker to route their attacks through a local PC.

      Cheers!
      Mark

Comments are closed.