Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zappos Hacked: Internal Systems Breached

Posted by samzenpus on from the under-the-wire dept.

wiredmikey writes "Zappos appears to be the latest victim of a cyber attack resulting in a data breach. In an email to Zappos employees on Sunday, CEO Tony Hsieh asked employees to set aside 20 minutes of their time to read about the breach and what communications would be sent to its over 24 million customers. While Hsieh said that credit card data was not compromised, he did say that 'one or more' of the following pieces of personal information has been accessed by the attacker(s): customer names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers. User passwords were 'cryptographically scrambled,' he said."

4 of 122 comments (clear)

  1. First the bad news.. by lemur3 · · Score: 4, Interesting

    from the email going out to customers:
    Subject: Information on the Zappos.com site - please create a new password

    First, the bad news:

    We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

    THE BETTER NEWS:

    The database that stores your critical credit card and other payment data was NOT affected or accessed. ...translation:

    The Bad News is that things are shitty.

    The Good News is that people are learning to love the smell of shit.

  2. Re:Storing passwords (not as easy as you think) by dgatwood · · Score: 4, Interesting

    Like storing authentication information on a separate server from user information. This tends to make the info a lot less useful.

    Ooh. User ID #67215298's password is "correct horse battery staple". Who is user ID #67215298? Uh... we haven't cracked that server yet.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  3. Re:Storing passwords (not as easy as you think) by seifried · · Score: 3, Interesting

    I assume you mean http://www.tarsnap.com/scrypt.html and https://github.com/pbhogan/scrypt? Looks interesting, I'll have to check them out.

  4. Re:Storing passwords (not as easy as you think) by Cato · · Score: 4, Interesting

    Mod parent up, the article is quite good.

    A more general and simpler answer though is to *always use a standard library* - see http://stackoverflow.com/questions/1581610/how-can-i-store-my-users-passwords-safely/1581919#1581919 for a good answer.

    Also ensure that your password storage is one-way hashed, and *salted* with a random salt (different per user) and uses *password stretching* (i.e. iterates the hashing function thousands of time to make brute forcing much more expensive). See http://slashdot.org/comments.pl?sid=1987632&cid=35150388 for more on password stretching including phpass, the gold-standard library for PHP used by WordPress, Drupal, etc.

    Most importantly, never write your own password storage - you are virtually guaranteed to get it wrong. Apart from the above issues, what about timing attacks (Zend has an article about this from PHP perspective.)