24 million customer accounts hacked at Zappos

Mon Jan 16, 2012 3:21pm EST

A Kentucky warehouse for Zappos.com is seen in an undated handout photo.  REUTERS/Zappos.com/Handout

A Kentucky warehouse for Zappos.com is seen in an undated handout photo.

Credit: Reuters/Zappos.com/Handout

Related Topics

(Reuters) - Online shoe retailer Zappos told customers this weekend that it has been the victim of a cyber attack affecting more than 24 million customer accounts in its database.

The popular retailer, which is owned by Amazon.com, said customers' names, email addresses, billing and shipping addresses, phone numbers and the last four digits of credit cards numbers and scrambled passwords were stolen.

But it said the hackers had not been able to access servers that held customers critical credit card and other payment data.

"We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky," Zappos chief executive Tony Hsieh said in an email to staff which was posted on the company's blog on Sunday.

"We are cooperating with law enforcement to undergo an exhaustive investigation," he added.

Zappos said it was recommending that customers change their passwords including on any other website where they use the same or similar password.

The company, which is well known for its customer service, said due to the high volume of customer calls it is expecting it will temporarily switch off its phones and direct customers to contact via email.

(Reporting By Yinka Adegoke)

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (3)
mb56 wrote:
It is well past time to REQUIRE that all uniquely identifying information be encrypted when stored on company computers. Encryption is easily and economically available these days – there is no longer any rational excuse to loose plain-text customer information to some hacker. When is Congress going to step up and make this a requirement for any business storing personal information?

Jan 16, 2012 9:04pm EST  --  Report as abuse
Nullcorp wrote:
I just placed my first two orders with Zappos last week. So much for the focus on customer service. Everything about their marketing tries to convince you that they care about you, but apparently that concern does not extend to protecting my personal data.

I agree with the comment from ‘mb56′ who suggests that encryption of customer data should be legally mandated. Instead of SOPA and other legislation introduced to protect corporations, Congress should be passing laws that protect citizens instead. Encryption can often be broken but there’s really no excuse for customer data to be stored in an unencrypted format.

Jan 17, 2012 1:22pm EST  --  Report as abuse
Nullcorp wrote:
I’ll also add that my personal info was stolen during the EMC student loan data breach a few years ago. The stolen information was stored on 600+ CDs (IIRC), not online. But the thieves threw away all the CDs once the realized that the data was encrypted. Ironically that is how they got caught. But it was a big relief to know that the stolen data was encrypted and that the thieves had given up. Encryption should really be standard practice, required by law.

Jan 17, 2012 1:26pm EST  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.