Online retailer Zappos alerted customers late Sunday that it had suffered a security breach, compromising customer account information including names, shipping and billing addresses, phone numbers, and e-mail addresses. Over 24 million customer accounts were affected in the breach.
According to an e-mail from Zappos CEO Tony Hsieh, attackers gained access to parts of the company’s internal network and systems through a server in Kentucky. He emphasized that credit card data -- other than the last 4 digits of credit card numbers shown in transaction information -- was not exposed, and neither was other payment data since the separate database containing that information was not accessed.
Customers' passwords were also exposed in the hack, but the online retailer insisted that they were encrypted, so attackers had no access to the actual passwords. Still, as a precaution, the company reset all customer passwords so they must create new ones to access their accounts. In addition, Zappos is advising users to change their passwords on other websites where they use the same or a similar one.
Amazon.com, which owns Zappos, was not affected by the breach, but customers of Zappos' discount shoe store 6pm.com were and thus their passwords have been reset as well. Both sites have temporarily blocked international traffic as they work with law enforcement to undergo an exhaustive investigation.