Zappos Breach Affects 24 Million
Customers Urged to Reset Passwords, Monitor for PhishingSee Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
In a blog post, Tony Hsieh, CEO of Zappos, explains that a criminal gained access to certain parts of the network through one of the company's servers in Kentucky.
"We are cooperating with law enforcement to undergo an exhaustive investigation," Hsieh says.
The data breach resulted in unauthorized access to the following customer account information: names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers and/or the cryptographically scrambled passwords (but not the actual passwords).
The database that stores customers' critical credit card and other payment data was not affected or accessed, Zappos says.
The company has taken action by expiring and resetting passwords and asking customers to create new ones.
"We also recommend that you change your password on any other web site where you use the same or a similar password," the e-mail sent to affected customers states.
Zappos also warned customers about potential phishing attacks as a result of the breach. "As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail," the statement says. "Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information."
A web page has also been established to provide updates and answers to customers' questions.
"We've spent over 12 years building our reputation, brand, and trust with our customers," Hsieh says. "It's painful to see us take so many steps back due to a single incident. I suppose the one saving grace is that the database that stores our customers' critical credit card and other payment data was not affected or accessed."