A hacker attacked the Zappos website and gained access to sensitive customer information, the popular online shoe and clothing company announced Sunday.
According to Zappos CEO Tony Hsieh, the hacker had compromised one of the company’s servers in Kentucky and as a result, was able to gain access to internal networks.
Hsieh revealed that while no credit card data or passwords were exposed in the attack (both were stored in encrypted form), the breach did expose other personal information — including names, shipping and billing addresses, phone numbers, and e-mail addresses.
“We are co-operating with law enforcement to undergo an exhaustive investigation,” the CEO wrote in an email to Zappos employees following the attack, adding: “We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident.”
In light of the incident, Zappos, which is well known for its stellar customer service, said it has expired and reset customers’ passwords so they can be reset.
The Amazon-owned company also recommended that customers change their passwords including on any other website where they use the same or similar password.
The full email that Zappos sent out to customers following the breach can be read below. The statement is also posted on the company’s blog.
First, the bad news:
We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).
THE BETTER NEWS:
The database that stores your critical credit card and other payment data was NOT affected or accessed.
For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password.
We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.
PLEASE CREATE A NEW PASSWORD:
We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the “Create a New Password” link in the upper right corner of the web site and follow the steps from there.
We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at email@example.com.
Will the recent Zappos security breach slow down your online shopping habits?