Zappos.com - the online source for shoes - was the victim of an attack that compromised account information for millions of customers. Zappos customers need to understand what is at stake, and be on alert for suspicious or malicious activity resulting from the attack.
In a letter to Zappos customers, CEO Tony Hsieh explains that the site was hacked, and that information including names, email addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers, and encrypted passwords may have been exposed. The good news, according to Hsieh, is that the database storing actual credit card and payment data was not breached.
What do we know?
At this early stage, we basically know what few details Zappos has shared with it customers. Neil Roiter, research director for Corero Network Security, says, "We know that some 24 million customer records were breached."
What don't we know?
There is a lot we don't know. Roiter explains, "We don't know how the breach occurred, or when or over how long a period of time it took place."
Those details may prove helpful for future reference - especially if the attackers exploited a zero day vulnerability, or found a unique attack vector that other organizations should be aware of to adequately defend against. As far as the fallout of this specific event goes, though, the proverbial horse is already out of the barn. Figuring out how the information was compromised won't uncompromise it.
What could/should Zappos do differently?
Andrew Storms, director of security operations at nCircle, says, "There's almost no information about the attack method used to infiltrate Zappos so it's way too early to point fingers or throw stones at their security practices."
Storms points out that Zappos' response to the incident seems to be appropriate so far. It has notified customers, and it reset all passwords to force customers to create new ones to replace those that may be exposed or cracked as a result of the breach.
Roiters agrees that there really isn't enough information to go on to determine what, if anything ,Zappos may have done wrong. He stresses, however, that data breaches often go undetected for extended period of time.
Roiters says, "Companies such as Zappos should have technology in place that monitors activity on their networks and reports in real time on suspicious activity or activity that does not conform to security policy. The sooner an organisation detects a breach, the more quickly it can contain it."
What should Zappos customers do now?
nCircle's Storms says that an incident like the Zappos breach is a poignant reminder for customers to make sure they use different passwords for different Internet sites - especially ecommerce sites that may contain credit card or other financial details. By using unique passwords, you can ensure the damage from a breach is limited to that one site or service.
Zappos has already taken the initiative to reset all user passwords. When creating a new one, users should remember basic password practices and make sure the password they choose is long enough and complex enough to resist cracking attempts.
Roiters says that customers may want to alert any affected credit card companies to be on alert, and adds, "It is advisable for people to use an identity protection service that alerts them if there is an suspicious activity on their accounts."
It is fortunate the hackers apparently haven't breached the actual credit card and payment data. That alone minimises the impact of this attack to some extent. Still, the data that was compromised has significant value and could be used for identity theft, so be vigilant about watching your accounts for suspicious activity.