Online retailer Zappos hacked, 24 million accounts compromised

CNN Wire Service

NEW YORK — Online shoe store Zappos has been hacked, exposing the names, email addresses, addresses, phone numbers and partial credit card numbers of its 24 million customers, the company said late Sunday night.

Citing an “illegal and unauthorized access” to customer account information, the company reset its customers’ passwords. Zappos then urged customers to change their login credentials on any other sites, for which they use the same password and username.

Zappos.com put a big green “create a new password” button on its homepage on Monday.

Zappos said customers’ passwords were exposed in the hack, but the online retailer insisted that they were encoded and that attackers had no access to customers’ actual passwords. Resetting its users’ passwords was just an added precaution, since its highly unlikely the hackers will be able — or would take the time — to unlock the encryption.

Customers of Zappos’ discount shoe store 6pm.com were also affected, and their passwords were reset as well.

That was “the bad news,” according to Zappos, which is owned by Amazon.

The “better news” was the cybercriminals that stole the information had no access to full credit card numbers or other payment data, since the database containing that information was not hacked.

All that was revealed were the last four digits of customers’ credit card numbers — just like the information that appears on a printed receipt at a physical store.

The last four digits of a credit card number serve as a way to identify a customer, but they are even more worthless than the last four digits of a Social Security number — in terms of actually matching a real credit card number to a person.

The cyberattack occurred on one of Zappos’ servers located in Kentucky, through which the hacker was able to gain access to part of the company’s internal network and systems. Company CEO Tony Hsieh said in an email to employees that Zappos is working with law enforcement to undergo an “exhaustive investigation.”

The Zappos hack, though annoying for customers, is nowhere near as serious as some other recent thefts of consumer account information. Last spring’s attack on Sony led to stolen credit cards from 77 million customers, and a Citigroup hacker stole $2.7 million from about 3,400 accounts in May.

These kind of hacks can be immensely damaging to a brand. In fact, companies are generally reluctant to reveal hacking incidents unless they’re legally required to, such as when customer information has been exposed.

“We’ve spent over 12 years building our reputation, brand and trust with our customers,” Hsieh wrote in the company memo. “It’s painful to see us take so many steps back due to a single incident.”

Despite recent ramped-up efforts to protect against unauthorized entry into companies’ systems, hacks have only increased in number and in scale.

Globally, data breaches are expected to have accounted for $130.1 billion in corporate losses last year, according to the Ponemon Institute. Historically, about 30 percent of that total cost has been direct losses attributable to the breaches, which would mean about $39 billion was stolen in 2011.