Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zappos Hacked: Internal Systems Breached

Posted by samzenpus on from the under-the-wire dept.

wiredmikey writes "Zappos appears to be the latest victim of a cyber attack resulting in a data breach. In an email to Zappos employees on Sunday, CEO Tony Hsieh asked employees to set aside 20 minutes of their time to read about the breach and what communications would be sent to its over 24 million customers. While Hsieh said that credit card data was not compromised, he did say that 'one or more' of the following pieces of personal information has been accessed by the attacker(s): customer names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers. User passwords were 'cryptographically scrambled,' he said."

23 of 122 comments (clear)

  1. breach database? by GuldKalle · · Score: 5, Insightful

    Is there a site covering breaches like these? It would be nice to have an easily searched database with number of users, the kind of info that was accessed, the attack vector etc.

    --
    What?
    1. Re:breach database? by Securityemo · · Score: 4, Informative

      http://datalossdb.org/

      --
      Emotions! In your brain!
    2. Re:breach database? by Rubinstien · · Score: 2

      I hope you are trying to be humorous. AIX is one of the buggiest UNIX implementations I know of, and that includes security bugs. A really simple example -- one that was fixed years ago in other OS's (like Solaris) -- using the Berkley variant of 'ps', you can easily access the environment of any process on the system. On AIX you access the Berkley version by leaving off the hyphens in front of command-line options (nice feature that, I like it better than Sun's completely separate binary). Try 'ps geww'. Not too dangerous if everyone keeps sensitive things out of their environment, but I can guarantee that is not always the case. CGI scripts tend to put interesting things there as a matter of course.

    3. Re:breach database? by bondsbw · · Score: 4, Informative

      I'm not sure what you're looking at. Its latest report is January 13, 2012.

      http://datalossdb.org/index/latest

      True, it doesn't mention Zappos yet.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    4. Re:breach database? by wiredmikey · · Score: 2

      A good one also would be http://www.databreaches.net/ - M

  2. Cyber attack? by Anonymous Coward · · Score: 5, Funny

    I hope the cyber police do what they can to find the cyber criminals who committed this cyber crime against Cyber Zappos. After all, Cyber CEO Tony Hsie- oh fuck I can't keep this up.

    Don't call it a cyber attack. It was an attack. This isn't 1996.

    1. Re:Cyber attack? by mixmasta · · Score: 3, Funny

      Then the hackers drove away on the INFORMATION SUPERHIGHWAY ... in a YUGO, oops... equivalent of a CYBER-CORVETTE.

      --
      #6495ED - cornflower blue
    2. Re:Cyber attack? by SeaFox · · Score: 2

      I hope the cyber police do what they can to find the cyber criminals who committed this cyber crime against Cyber Zappos.

      I'm sure there's a gumshoe on the case already.

  3. Meh,, by arsemonkey · · Score: 2

    Other than my email, and the last 4 of my nearly maxed out credit card, that's pretty much all public record anyway.

  4. First the bad news.. by lemur3 · · Score: 4, Interesting

    from the email going out to customers:
    Subject: Information on the Zappos.com site - please create a new password

    First, the bad news:

    We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

    THE BETTER NEWS:

    The database that stores your critical credit card and other payment data was NOT affected or accessed. ...translation:

    The Bad News is that things are shitty.

    The Good News is that people are learning to love the smell of shit.

  5. Storing passwords (not as easy as you think) by seifried · · Score: 5, Informative

    Sadly password storage is actually tricky and most places do it wrong (using MD5/SHA1 for example). Covered in Nov 2011 article Storing your passwords properly (disclaimer: I wrote it, and it's a PDF file). One problem is that even if zappos enforces strong passwords users have a tendency to reuse their strong passwords between sites (you can only memorize so much gibberish or passphrases). Hopefully Zappos learns from this and builds a more resilient system.

    1. Re:Storing passwords (not as easy as you think) by dgatwood · · Score: 4, Interesting

      Like storing authentication information on a separate server from user information. This tends to make the info a lot less useful.

      Ooh. User ID #67215298's password is "correct horse battery staple". Who is user ID #67215298? Uh... we haven't cracked that server yet.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    2. Re:Storing passwords (not as easy as you think) by seifried · · Score: 3, Interesting

      I assume you mean http://www.tarsnap.com/scrypt.html and https://github.com/pbhogan/scrypt? Looks interesting, I'll have to check them out.

    3. Re:Storing passwords (not as easy as you think) by Cato · · Score: 4, Interesting

      Mod parent up, the article is quite good.

      A more general and simpler answer though is to *always use a standard library* - see http://stackoverflow.com/questions/1581610/how-can-i-store-my-users-passwords-safely/1581919#1581919 for a good answer.

      Also ensure that your password storage is one-way hashed, and *salted* with a random salt (different per user) and uses *password stretching* (i.e. iterates the hashing function thousands of time to make brute forcing much more expensive). See http://slashdot.org/comments.pl?sid=1987632&cid=35150388 for more on password stretching including phpass, the gold-standard library for PHP used by WordPress, Drupal, etc.

      Most importantly, never write your own password storage - you are virtually guaranteed to get it wrong. Apart from the above issues, what about timing attacks (Zend has an article about this from PHP perspective.)

    4. Re:Storing passwords (not as easy as you think) by Anonymous Coward · · Score: 3, Insightful

      I'm going to have to disagree with this statement from your article: "Because hash functions like AES-256 only provide 2^256 possible unique outputs, collisions are obviously possible".

    5. Re:Storing passwords (not as easy as you think) by Anonymous Coward · · Score: 5, Informative

      You know, I almost posted something when this article was first published but I decided it wasn't worth it. But now that it's come up again in the context of helping people I must say something.

      This article is absolutely full of errors.

      The end recommendation of using bcrypt is fine, but beyond the basic concepts the rest has major problems. A few examples:

      1. AES is not a hash function. It can be used in some constructions to emulate a hash, but you wouldn't just call that AES-256 as you do, nor is it commonly used this way.
      2. "Because hash functions like AES256 only provide 2^256 possible unique outputs..." Only? This would put you at ~2^128 outputs before you could really hope to get a collision (and not a collision with a specific output, just any two outputs colliding). This is WAAAY beyond the resources of all of humanity.
      3. "Brute-forcing older algorithms is definitely possible now (DES and 3DES already fell to brute-force attacks several years ago)." Since when was 3DES brute-forced? I see no evidence that even 2TDEA has been brute-forced, let alone 3TDEA which is what people actually use. Citation greatly needed.

      There are other problems a well, but these are enough to give a taste of the issues.

    6. Re:Storing passwords (not as easy as you think) by fatphil · · Score: 4, Informative

      It's hard to take seriously an article which contains remarks like the dumb:
      "26 letters, 10 numbers, 11 other character keys for a total of 94 characters"
      to the misleading:
      "Because hash functions like AES-256 only provide 2^256 possible unique outputs, collisions are obviously possible".

      It also overlooks the fact that you're increasing your workload by a factor of X in order to increase the attacker's workload by a factor of X. Therefore there is precisely no leverage at all, and it's not really much of a win, that's a break even cost-wise.

      The paragraph beginning "The advantage of bcrypt..." also seems to show that you don't appreciate the difference between a PRP like AES and a PRF like MD5 when it comes to collisions from iterated images. I'm not 100% sure about the logic you're using to lead to the "1000 possible values" claim either. If fact quite the opposite. Are you claiming that if MD5 were iteratd 2^160 times, there would be 2^160 such possible values? (I.e. every input would match a password stored in the rainbow tables.) Sounds bogus, in fact.

      --
      Also FatPhil on SoylentNews, id 863
    7. Re:Storing passwords (not as easy as you think) by Threni · · Score: 2

      No you haven't. User ID #67215298's username is Boris1322 but how would the attacker know this?

  6. Yes by happyhamster · · Score: 3, Informative

    6 pm appears to be a "value" branch of zappos: http://blogs.zappos.com/blogs/ceo-and-coo-blog/2008/02/19/zapposcom-and-6pmcom

  7. Kudos to Zappos for the way they handled this. by I'm+Not+There+(1956) · · Score: 5, Insightful

    Shit happens, the way handle crisis is what matters. Zappos was very open about this, sent me an email, asked me to change password, set up new email addresses and web pages for this problem and questions that customers may have, and announced the issue quickly.

    I wish more companies would act like this.

    --
    "If fifty million people say a foolish thing, it's still a foolish thing."
  8. Re:Well... by skegg · · Score: 2

    Yeah, and we know who's ultimately going to foot that bill.

  9. Re:what does "cryptographically scrambled" mean ? by droidsURlooking4 · · Score: 2

    It was scrambled with hash. It was just supposed to be salted & peppered but the line cook put salsa on it and that's usually over easy. Crazy world today.

  10. Re:Password reset may not be a great idea by blueg3 · · Score: 2

    The passwords aren't stored cleartext in the database, they're encrypted with your master password.