It’s already a pretty rough year in the security game. There have been a number of interesting security compromises that have already taken place this year, but nothing has matched the scale of the attack on popular online shoe retailer, Zappos.com. On Sunday 15 January, Zappos sent an email to 24-million customers notifying them of a security breach which is likely to have exposed sensitive customer detail for all of its users. Two days later, Zappos is still offline, which suggests that the breach has effectively crippled its business.
While actual credit card details were not compromised (as these were stored within a separate database), names, email addresses, shipping, and billing addresses, the last four digits of every credit card and encrypted password hashes were accessible during the breach. It is not clear how much of this data may have been accessed or copied, but Zappos has reset all customer passwords to protect these accounts from further unauthorised access. Unfortunately, simply resetting passwords is rarely enough to recover from a compromise like this. To begin with, many existing customers will want reassurance that all personally identifiable data is removed from Zappos systems, and regaining customer trust is likely to be an uphill battle for many years to come. Zappos CEO Tony Hsieh stated “We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident”.
No ad to show here.
As an online retailer, Zappos is renowned for its excellent customer service, and it is well aware of the potential repurcussions of a security breach like this. Zappos has advised customers to reset their passwords on other commonly used web sites, particularly if they have used the same password. This is pretty sound advice. Last year, after the LulzSec attacks on Sony, researchers discovered that password reuse was rampant among users. While actual passwords were not leaked in plaintext, and only the encrypted password hashes were exposed, it will not take long for anybody in possession of this data to start extracting passwords from the list of hashes using tools like rainbow tables. If you reuse your password on different sites, and you’re a Zappos customer, take heed of this advice and start changing your password at every site you visit. If possible, make sure that you use a different password for every site.
At this point, it isn’t really clear as to how the breach happened or what systems were actually involved in the attack. Hsieh mentioned that the server that was compromised was located in Kentucky, where Zappos’ order fulfillment centre is located in Shepherdsville. However, there is no further information on the systems involved. Zappos was acquired by Amazon in 2009, but its operation runs out of an entirely separate data centre and it maintains its own infrastructure, so no Amazon systems were affected by the attack.
As a mildly amusing aside, Zappos has been advertising for an Application Security Engineer for some time now. Okay, the job is actually running out of the Las Vegas branch, but more than likely the role would cater to taking care of systems across the entire infrastructure. Okay, the job is actually running out of the Las Vegas branch, but more than likely the role would cater to taking care of systems across the entire infrastructure.