BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Zappos.com - 24 million customer accounts compromised

From: security curmudgeon <jericho () attrition org>
Date: Sun, 15 Jan 2012 20:30:29 -0600 (CST)

http://blogs.zappos.com/securityemail

The following email was sent to our employees today:

Subject: Important - Security
Dear Zappos Employees -

Please set aside 20 minutes to carefully read this entire email.

We were recently the victim of a cyber attack by a criminal who gained 
access to parts of our internal network and systems through one of our 
servers in Kentucky. We are cooperating with the FBI to undergo an 
exhaustive investigation.

Because of the nature of the investigation, the information in this email 
is being sent a bit more formally, and unfortunately we are not able to 
provide any more details about specifics of the attack beyond what is in 
this email and the link at the end of this email, but we can say that THE 
SECURE DATABASE THAT STORES OUR CUSTOMERS' CRITICAL CREDIT CARD AND OTHER 
PAYMENT DATA WAS NOT AFFECTED OR ACCESSED.

The most important focus for us is the safety and security of our 
customers' information. Within the next hour, to ensure a greater level of 
security, we will begin the process of notifying the 24+ million customer 
accounts in our database about the incident and help step them through the 
process of choosing a new password for their accounts. (We've already 
reset and expired their existing passwords.)

Here is the email that our customers will be receiving:

-------------------------------------------------------------------------
Subject: Information on the Zappos.com site - please create a new password

First, the bad news:

We are writing to let you know that there may have been illegal and
unauthorized access to some of your customer account information on
Zappos.com, including one or more of the following: your name, e-mail
address, billing and shipping addresses, phone number, the last four
digits of your credit card number (the standard information you find on
receipts), and/or your cryptographically scrambled password (but not your
actual password).

THE BETTER NEWS:

The secure database that stores your critical credit card and other 
payment data was NOT affected or accessed.

SECURITY PRECAUTIONS:

For your protection and to prevent unauthorized access, we have expired 
and reset your password. Please see the link at the end of this message to 
create a new password. As always, please remember that Zappos.com will 
never ask you for personal or account information in an e-mail. Please 
exercise caution if you receive any emails or phone calls that ask for 
personal information or direct you to a web site where you are asked to 
provide personal information.

We also recommend that you change your password on any other web site 
where you use the same or a similar password.

PLEASE CREATE A NEW PASSWORD:

We have expired and reset your password.

Please create a new password by visiting Zappos.com and clicking on the 
"Create a New Password" link in the upper right corner of the web site and 
follow the steps from there.

We sincerely apologize for any inconvenience this may cause. If you have 
any additional questions about this process, please email us at 
passwordchange () zappos com

-------------------------------------------------------------------------

We have also created a web page that we will continue to update as we 
learn more about what questions customers have:

    http://www.zappos.com/passwordchange

In order to service as many customer inquiries as possible, we will be 
asking all employees at our headquarters, regardless of department, to 
help with assisting customers. Due to the volume of inquiries we are 
expecting, we realized that we could serve the most customers by answering 
their questions by email. We have made the hard decision to temporarily 
turn off our phones and direct customers to contact us by email because 
our phone systems simply aren't capable of handling so much volume. (If 5% 
of our customers call, that would be over 1 million phone calls, most of 
which would not even make it into our phone system in the first place.)

We've spent over 12 years building our reputation, brand, and trust with 
our customers. It's painful to see us take so many steps back due to a 
single incident. I supposed the one saving grace is that the secure 
database that stores our customers' critical credit card and other payment 
data was not affected or accessed.

Over the next day or so, we will be training everyone on the specifics of 
how to best help our customers through their password change process now 
that their passwords have been reset and expired. We need all hands on 
deck to help get through this.

Thanks everyone.

-Tony Hsieh
   CEO - Zappos.com

_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/
Previous By Date Next
Previous By Thread Next

Current thread: