The online commerce world continues to take a few ugly twists and turns, as online shoe and accessory retailer Zappos—now owned by Amazon—reveals more than 24 million customer accounts were compromised in a recent security breach. Although the company says passwords and credit card information were encrypted, information likes users’ names, addresses, email, phone numbers and more.
As a precaution, Zappos has expired all the passwords on affected customers’ accounts—they’ll need to set a new password in order to log in—and sent a warning to customers about the breach, warning them to change passwords they use on other sites if they’re similar to their former credentials on Zappos.
“We’ve spent over 12 years building our reputation, brand, and trust with our customers,” wrote Zappos CEO Tony Hsieh in an email message to customers. “It’s painful to see us take so many steps back due to a single incident. I suppose the one saving grace is that the database that stores our customers’ critical credit card and other payment data was not affected or accessed.”
Zappos says it is cooperating with law enforcement about the breach, and the attackers managed to get into parts of the company’s internal network through a server in Kentucky.
For the time being, Zappos is only responding to customer queries about the incident via email, claiming that they just don’t have the phone systems and resources to handle the massive call volumes the incident could generate. However, the company is asking all the employees at its headquarters to handle customer assistance, and expects in the next day everyone will be up to speed on assisting customers through the password change process.
As yet, no one has claimed responsibility for the breach. In cases like this, attackers typically target users’ names, addresses, and credit card information in order to perpetrate identity theft or credit card fraud—or sell the information to folks who will. However, customers’ names, addresses, and particularly email addresses are also marketable items: anyone with a compromised account on Zappos can probably expect an uptick in the amount of spam, phishing, and spear-phishing attacks targeting them.
Amazon.com acquired Zappos in 2009, and largely lets it operate independently of Amazon’s larger operations.