Well, it’s 2012 and the year starts off with yet another breach – 24 million records this time. Fortunately there is positive news to go along with this story. The good news is, according to Tony Hsieh the CEO of Zappos, the database that controls credit cards and other payment data was not affected nor was it accessed. The bad news however is that one or more of the following types of information were taken: customer names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of customer’s credit card numbers, and “cryptographically scrambled” passwords, which most likely means they were hashed. Hashed passwords are a good security practice, but it is a method that an attacker can circumvent, especially if the password is weak. So what do you do?
Change your Passwords (Passwords not Password)
The number one recommendation SecureState makes when a breach like this occurs is to immediately change your password on Zappos’ website and to any other site sharing a similar password. Generally it is never a good idea to share passwords across many websites. SecureState recommends using a password management software such as KeePass to store passwords for multiple websites. Fortunately Zappos has expired and reset all customer passwords, so when you visit www.Zappos.com, click on “Create a New Password” in the top right of the window and follow the steps from there to access your account again.
Be aware of Social Engineering Techniques aimed at getting your information for OTHER sites
SecureState also recommends customers to be wary of phishing emails. Attackers will use the personal information gained in attacks like this to “Spear Phish”. Spear Phishing is a targeted email that appears to come from a “trusted source” in order to gain additional information. For example, a spear phishing emails could attempt to coerce the victim into entering personal information on a crafted website. Zappos’ customers should be advised that Zappos will never contact you asking for personal information or account information in an email. Customers should exercise caution if they receive any emails or phone calls that ask for personal information or direct them to a website where you are asked to provide personal information.
Below is part of the email that was sent by Mr. Hsieh to his employees:
Date: Sun, 15 Jan 2012
From: Tony Hsieh (CEO – Zappos.com)
To: Zappos Employees Subject: Important – Security
Dear Zappos Employees – Please set aside 20 minutes to carefully read this entire email.
We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with the FBI to undergo an exhaustive investigation.
Because of the nature of the investigation, the information in this email is being sent a bit more formally, and unfortunately we are not able to provide any more details about specifics of the attack beyond what is in this email and the link at the end of this email, but we can say that THE SECURE DATABASE THAT STORES OUR CUSTOMERS’ CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED.
The most important focus for us is the safety and security of our customers’ information. Within the next hour, to ensure a greater level of security, we will begin the process of notifying the 24+ million customer accounts in our database about the incident and help step them through the process of choosing a new password for their accounts. (We’ve already reset and expired their existing passwords.)