The online shoe and apparel company Zappos, a subsidiary of Amazon.com, was recently hacked, and credentials for 24 million users were stolen. In an e-mail to the company’s employees, CEO Tony Hsieh said, “We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky.” The company told customers:
We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).
What is important to understand here is that the actual password was not recovered, but rather a “hash,” or, as Zappos says, a “cryptographically scrambled password.” Nevertheless, Zappos has reset its passwords for all of its customers, and they will see a request to create a new password the next time they try to log into the Zappos website. Also, the hackers did not obtain full credit card numbers. Nevertheless, the hackers did obtain e-mail addresses, which could be used for spamming or phishing campaign.
While passwords were not recovered in this hack (at least according to Zappos), they are sometimes obtained in this type of data breach. It’s worth pointing to an older blog post about choosing secure passwords to remind you not to use the same password on multiple sites, and how to come up with unbreakable passwords. Data breaches like this one are common; it’s a good idea to make sure your passwords are all secure, so if passwords are obtained in a data breach, hackers can’t use yours on other sites and see if it’s the same.