Amazon-owned online store Zappos has been the target of a massive data breach, that could affect as many as 24 million users of the site both past and present.
The hacker gained unauthorised access to internal networks through the online clothes and shoe store's servers. Customer's names, email addresses, as well as billing and postal addresses may have been accessed. Cryptographically scrambled passwords and the last four-digits of customers' credit card numbers are also vulnerable to the hack, Zappos chief executive Tony Hsieh said in an email published on its website.
"I suppose the one saving grace is that the database that stores our customers' critical credit card and other payment data was not affected or accessed", Hsieh added.
Zappos said that it is working with U.S. law enforcement to investigate "exhaustively" whether the data was downloaded from its servers, and to mitigate the damage suffered by its customers.
While the nature of the hack is still undergoing an investigation, the site is "not accepting international traffic", according to a notice on the site. It could be that the hacker originated from outside the United States, but Zappos said it was too early to know any specific details.
In a tweet to customers, Zappos was quick to point out that Amazon accounts "will not be affected" by the hack. But Zappos declined to comment on when the attack took place, or whether data was downloaded by the hacker.
Zappos is also temporarily shutting down telephone support and responding to email queries only. However, regardless of position, all employees at the company's headquarters, would be enlisted to help assist customers wherever possible.
Also, although passwords were hashed and protected, Zappos has voided and reset the passwords of all of its users, and warns that similar passwords used on other websites should be changed.
This is thought to be the most severe commercial cyber-attack and data breach since the Sony PlayStation Network hack last year, which brought 77 million users offline and unable to use the online multiplayer service for over a month.
It appears that Zappos, which was bought by Amazon for around $900 million in stock and cash in July 2009, is the first major online retailer to suffer such a breach.
Cyber-criminals upped their game last year, with many government-sponsored or funded agencies suffering at the hands of denial-of-service attacks and data breaches; some which later leaked online.
- A good fit: Amazon gobbles up Zappos
- 5 looming questions about the Amazon-Zappos deal
- Zappos CEO: Company culture is higher priority than customer service
- Sony's network outage, cyberattack mean long road to recovery
- Unboxing Asia: Japan develops virus to counter cyber-attacks: But can it be used?
- London Calling: Spy chief: UK cyber attacks at ‘disturbing’ levels
- Can a cyber-attack really be considered an 'act of war'?