Online retailer Zappos, who sells shoes and clothing through their website at Zappos.com, has reported that their servers were ‘recently’ hit by hackers. The personal information of up to 24 million customers may have been stolen. The exact date of the incident was not provided.
According to Zappos ceo Tony Hsieh, a Zappos server located in Kentucky was attacked “by a criminal who gained access to parts of our internal network and systems.” Hsieh said he could provide only limited details, however Zappos is cooperating with law enforcement in an exhaustive investigation.
Hsieh said that the database that contains complete customer credit card numbers was not affected. On Sunday the company began notifying over 24 million customers of the hacking incident. In the e-mail they sent out, they ask customers to reset the passwords on their Zappos accounts. All existing passwords have been expired.
The e-mail to customers stated that critical credit card and other payment information was not accessed.
The data that was accessed may contain names, e-mail addresses, billing and shipping addresses, phone numbers, and the last four digits of credit card numbers. The information also contained the users password in a cryptographically scrambled format.
According to Zappos, the actual password in plain text format was not available to the hackers. However, they are recommending that customers that use the same password on other websites change it on those websites as a precaution. They also caution customers against responding to e-mails or phone calls that ask for personal information, or that direct customers to a site that asks for personal information.
Zappos is providing this webpage, http://www.zappos.com/passwordchange, for customers to use for changing passwords. The company has also said that it has turned off their phones and are handling inquiries by e-mail. This was done, according to Hsieh, because “our phone systems simply aren’t capable of handling so much volume.” The email address provided for assistance is: firstname.lastname@example.org.
In a letter to employees, Hsieh asked all of them to assist customers, regardless of what department they work in.