Amazon-owned Zappos hacked, 24 million accounts compromised

By on January 16, 2012, 12:30 PM

Online retailer Zappos alerted customers late Sunday that it had suffered a security breach, compromising customer account information including names, shipping and billing addresses, phone numbers, and e-mail addresses. Over 24 million customer accounts were affected in the breach.

According to an e-mail from Zappos CEO Tony Hsieh, attackers gained access to parts of the company’s internal network and systems through a server in Kentucky. He emphasized that credit card data -- other than the last 4 digits of credit card numbers shown in transaction information -- was not exposed, and neither was other payment data since the separate database containing that information was not accessed.

Customers' passwords were also exposed in the hack, but the online retailer insisted that they were encrypted, so attackers had no access to the actual passwords. Still, as a precaution, the company reset all customer passwords so they must create new ones to access their accounts. In addition, Zappos is advising users to change their passwords on other websites where they use the same or a similar one., which owns Zappos, was not affected by the breach, but customers of Zappos' discount shoe store were and thus their passwords have been reset as well. Both sites have temporarily blocked international traffic as they work with law enforcement to undergo an exhaustive investigation.

User Comments: 11

Got something to say? Post a comment
ikesmasher said:

more and more hacks every day...

I think ill say that anon inspired some people.

tehbanz tehbanz said:

yeah, i've stuck to only paypal sites since this all took off

(still no proof it was anon though)

Orionlocke said:

What is wrong with people these days? Do they say to themselves, "I'm awesome with computers so I think I'll use my skills to perform criminal acts?"

It seems like every day there news of yet more and more hacks like this going on.

Just to put it into perspective, if someone mugs someone on the street, they're stealing and hurt one person. These bone heads doing these hacks are stealing but instead of hurting one person, they're hurting 24 million people in this case. I wonder if they think about that...or even care.

Guest said:

These sorts of attacks are so sophisticated they likely have government backing from "someplace". These are not your young college student 'hacking' into your systems to show-off anymore, its not even criminal activity, which tends to not be very organized anyway. Oh why bother. Enjoy your opinions :)

ikesmasher said:

Guest, you'd be surprised how easy some of this stuff is. I mean. PSN got shut down by a DDoS, one of the most common hacks.

dioltcom said:

Well, one of my friend informed me that he just got an email and the actual text reads ?cryptographically scrambled password?. That definitely sounds like hashed passwords to me, but one can only hope they were salted.

Cellar said:

What is up with all the hackers lately.

Emin3nce said:

Wait... They changed it so the user had to change their password for security; yet the hackers have all the other info.

My thoughts; Hacker logs in, says "you must change your password, please provide X and the email address" Done. Hacker now owns the account.


treetops treetops said:

for a second i thought it was pinzoo the oddly named site i used to get cell phone minutes from, I shake my fist at these hackers

RH00D RH00D said:

ikesmasher said:

Guest, you'd be surprised how easy some of this stuff is. I mean. PSN got shut down by a DDoS, one of the most common hacks.

PSN being shut down by DDoS and the hack that resulted in the data theft were isolated, close-in-time, incidents performed by separate entities, one being Anonymous (the DDoS) and the other is still unknown as far as I've been updated.

I don't know if you actually did know the difference, as you didn't specifically mention the data theft hacking, but I just wanted to clarify for people who might not have known.

Anyways, these days I wouldn't use a "X company was hacked" as a basis for not using them any more. It's all in the way they handle the situation and the preventative defences (real-time intrusion monitoring?) that they have in place that ultimately decides that, to me.

Guest said:

~ Amazon US is also being hacked by Amazon.Br (Brazil) but is being blocked by untrustworthy certificate site warnings & blank page warnings >We're sorry. An error occurred when we tried to process your request. Rest assured, we're already working on the problem and expect to resolve it shortly< which both show Amazon US being redirected to Amazon Brazil.thus disabling the Amazon customer from entering, ordering, chatting, or signing out of the US Amazon site.




We're sorry. An error occurred when we tried to process your request. Rest assured, we're already working on the problem and expect to resolve it shortly.




This Connection is Untrusted

You have asked XXXXXX to connect

securely to, but we can't confirm that your connection is secure.

Normally, when you try to connect securely,

sites will present trusted identification to prove that you are

going to the right place. However, this site's identity can't be verified.

What Should I Do?

If you usually connect to

this site without problems, this error could mean that someone is

trying to impersonate the site, and you shouldn't continue. uses an invalid security certificate.

The certificate is only valid for

(Error code: ssl_error_bad_cert_domain)


Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.