Zappos Breached
The online retailer Zappos announced yesterday a breach to their systems and has expired all password accounts on zappos.com. There is a letter to employees from Zappos CEO available on zappos.com.[1] They are urging all customers to change their zappos account password immediately [2], also do so on accounts elsewhere if your password is in sync.
It is also being reported they have turned off company phones and request inquires be sent to email, as their phone system capacity is not capable of the high volume.[3] ISC Handlers outside the US have reported they are unable to get to the Zappos.com sites. It appears they have opened things back up for some non-US traffic, but all traffic is not open as of this writing.
I have not read any report on this issue that indicates what day the incident was discovered. There are also no avaialble details on how long the breach was active before being discovered by Zappos staff. However, if basic incident handling protocols are being used for this incident, then it appears the discovery of the incident is only "days" old, and not "weeks" or more. If this is true, I applaud Zappos for coming clean as quickly as possible. Far too many companies wait too long to notify their customer base.
If anyone has details they can share or reports that provide any further info, then feel free to post a comment or send it in to us directly.
[1] http://blogs.zappos.com/securityemai
[2] http://www.zappos.com/passwordchange
[3] http://www.eweek.com/c/a/Security/Zappos-Latest-Company-Hit-by-Data-Breach-581979/
Comments
J-to-the-K
Jan 16th 2012
1 decade ago
"Linux http://TMobileWebServer1.cl.datapipe.net 2.6.18-194.26.1.el5 #1 SMP Fri Oct 29 14:21:16 EDT 2010 x86_64"
This was published to Pastebin on the 14th of this month but the records listed show the compromise happened on October 29th. Looks like they are kind of late to the show.
JColorossi
Jan 16th 2012
1 decade ago
ChanceyGardener
Jan 16th 2012
1 decade ago
Thanks for the comments.
JColorossi: The link shows T-Mobile info. Am I missing the relevance?
ChanceyGardener: They could have been hacked longer AND known for more than a few days. However, there are a indicators that support the knowledge is only a few days old. That being said, nothing confirms it to date.
Sadly, it is very common for these types of breaches to go undetected for some time first, before being addressed.
-Kevin
Kevin Shortt
Jan 16th 2012
1 decade ago
The ban on access had included barring access to the outage information and password reset pages.
Andrew from Vancouver
Jan 17th 2012
1 decade ago
As I said, Zappos is giving us a real-time lesson on how to do crisis management properly and we should all be taking notes. For a more detailed analysis: <a href="http://blog.unibulmerchantservices.com/zappos-is-giving-us-a-lesson-on-managing-a-data-breach">http://blog.unibulmerchantservices.com/zappos-is-giving-us-a-lesson-on-managing-a-data-breach</a>
J.G.
Jan 17th 2012
1 decade ago