Twenty-four million Zappos customers are getting an unpleasant Sunday-evening surprise.
The Amazon-owned e-commerce firm has revealed that it was the target of a cyber attack that gained access to its internal network, including the accounts of 24 million of its users. Though the company says that no complete credit card numbers were revealed in the breach, the intruders may have accessed customers’ names, e-mail addresses, phone numbers, addresses, the last four digits of their credit card numbers, and encrypted passwords. Zappos says it’s taken the precaution of resetting the passwords of all its customers and directing them to set a new password upon visiting the site.
“We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky,” chief executive Tony Hsieh wrote to Zappos employees in an email posted to the site, declining to offer more information about the breach. ”We are cooperating with law enforcement to undergo an exhaustive investigation.”
But this is what’s actually on the consumer site when you try to log-in:
We apologize for the inconvenience however a recent security update has resulted in the need for you to reset your password. By resetting your password, you’ll have a more secure experience on our website.
Yeah, a security update necessitated by Zappos’ incompetence. Back to the Forbes piece:
Even after choosing a new Zappos password, users should be careful to also change their passwords on any site where they’ve used a similar or identical password, in case Zappos’ intruders are able to decrypt the scrambled passwords they’ve stolen. Zappos is also warning affected customers to watch out for phishing emails that will use their stolen email addresses to spoof official Zappos emails and ask for account credentials or financial details.
It would be, you know, helpful, if Zappos told their customers this on their website.