Zappos breach highlights fragile password, personal data security

Zappos breach highlights fragile password, personal data security

Summary: resets 24+ million user passwords after hackers attack its servers. The incident reveals once again the frailty of passwords, especially when used across sites, and that the long-term value to hackers of other personal information stored online is higher than credit card numbers.


Another breach, another reminder that personal data created and stored on the Internet is often more valuable than credit card numbers and that when compromised can have much more damaging consequences.

This time it was joining the ranks of Sony, Gawker, and many others who have lost account passwords and other data to hackers.

Zappos has reset 24+ million passwords exposed during a hack of its systems Sunday, sending its users scrambling to create new passwords.

In an email, Zappos CEO Tony Hsieh also advised users to change their passwords on any other web site where they used the same or similar credentials. And he called out possible phishing scam exposure by reminding users that "will never ask you for personal or account information in an e-mail."

But passwords and phishing are not the only user exposures. Experts say other personal data compromised in the Zappos attack could be combined to present a wealth of possibilities for personal attacks on end-users.

In his email Hsieh said compromised user data potentially included names, e-mail addresses, billing and shipping addresses, phone numbers, and the last four digits of credit card numbers along with cryptographically scrambled passwords, but not the actual passwords.

"It's pretty easy if you have an electronic data set to break all but the most rigorous [password] encryption," says Fred Cate, director of the Indiana University Center for Applied Cybersecurity Research. A Zappos PR spokeswoman said she could not provide information on encryption levels the company uses.

"So if you suddenly had names, last four digits and passwords, you would have a real treasure trove," said Cate. "Then the most logical attack is not phishing, it is attacking those accounts where the user already does business."

Cate said hackers would have enough data "for one person to start to impersonate another person. Or for one person to impersonate a business trying to contact a legitimate customer."

Imagine being contacted about an account six months after a breach by someone who had the last four digits of your credit card, your name and your address.

"I would find it really hard to immediately be suspicious of that," said Cate, who specializes in privacy, security, and other information law issues. "Those are all the indicators we teach people to know that a legit person is trying to contact them."

Cate tempered his comments by saying so far these big breaches have not resulted in waves of fraud. "The first thing is don't panic," he said.

Hsieh in his email tried to temper panic. "I suppose the one saving grace is that the database that stores our customers' critical credit card and other payment data was not affected or accessed."

While that may be a relief to some who could suffer a $50 fee to cover fraudulent card use, it ignores the larger issue Cate raises and that Hsieh only hints at in his email.

The credit card industry has had policies for years to deal with stolen accounts. Those same institutional controls, however, don't exist for email addresses, weak passwords and reuse of passwords.

"It is a constant reminder as we move to a world were our lives are completely mediated by data, those data are not yet under control," Cate says. "That should offer caution. This time it was a shoe seller, the worst might be some financial fraud. But what happens when it is data that controls your eligibility to work or to fly."

Cate says he is a huge user and believer in technology, "but at the end of the day we are headed down a path we are not ready for in terms of implementing security."

Statistics show just how far things need to go. A November 2011 study by Splashdata revealed the two most popular passwords last year (and for many previous years dating into the 1990s) were "password" and "123456."

Research late last year by Joseph Bonneau, a PhD. student with the Security Group at the University of Cambridge Computer Laboratory, found that among customers of the Gawker and sites whose passwords were stolen and exposed, 76% used the same password at both sites. The Gawker breach involved 1.3 million passwords while had 81,000.

Topics: Collaboration, Security


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Zappos breach highlights fragile password, personal data security

    Another high value Linux target falls. Perhapsa coincedence but it sure seems like when the target has sufficient value Linux isn't nearly as bullit proof as the Linux advocates pontificate. Clearly no OS is bullit proof if the bad guys draw a bead ....

    Speaking of which, where are those pontificators?
    • I would imagine that many

      are off looking for ways to blame this on Microsoft.

      Tim Cook
    • RE: Zappos breach highlights fragile password, personal data security

      @whatagenda So are you privy to information that the rest of us don't have? I have yet to see any information that would indicate that the OS was compromised. With the scarcity of facts about the attack vector, your attack is premature.
  • RE: Zappos breach highlights fragile password, personal data security

    As an affected consumer, it does me no good to have an impressive password when the company who stores my information allows it's own servers to be hacked!
    • RE: Zappos breach highlights fragile password, personal data security

      @charlesdhartman : Absolutely true - but OTOH, why do we, like sheep, allow our credit card data to be stored anyway??? It's time to become more proactive in determining how every retailer deals with credit card information. Think about it - if, in fact, there was NO information stored, what would happen to the motivation behind the cracks??? As it is, how many retailers are (knowingly or not) participating with crackers to expose every one of their credit customers to the risk of both identity and value theft. Maybe class action suits are more in order? Remember TJ Maxx? Didn't ANYONE learn from THAT????
      • RE: Zappos breach highlights fragile password, personal data security

        @Willnott Yes, I agree totally. I can't quite say "like sheep"... I think about it every time I allow my data to be stored. It's more "like sloths". After several of the recent attacks, I will be re-thinking that approach (however convenient). However, Zappos quickly made it very easy to change your password, and DID make it clear what information was compromised. Both the user who uses a bad password and allows information to be retained, and the retailer who was hacked and asked if you wanted information to be retained, are at fault. (LOL - of course, the HACKER is totally at fault!)
    • Affected?

      Hi Charles,

      It sounds like from your post that you were affected by the breach. Would like to chat with you further about this. Would this be possible? If so, please email me at Thank you.
  • RE: Zappos breach highlights fragile password, personal data security

    This has absolutely nothing to do with linux (if they even use linux), and everything to do with incompetent security staff. Fort Knox is secure until someone leaves the front door unlocked.

    The key is to assume that all data you give to a company will at some point be stolen, so don't allow any company that isn't liable for your cash to keep your credit card details on file. Only use companies that outsource the payment part to your bank/paypal/credit card company itself.
    • RE: Zappos breach highlights fragile password, personal data security


      Do you have inside information that would lead one to conclude it was lax security on Zappos part? If not, a bit premature to toss Zappos staff under the bus don't you think?
      • RE: Zappos breach highlights fragile password, personal data security

        @whatagenda : Maybe not lax security, but most definitely inappropriate principles of how to handle customers credit card details! Why do they need to be "kept on file"? Did nobody ever learn anything from the TJ Maxx compromise several years ago? Have ANY retailers modified their policies as a result of THAT compromise? It credit card details were not retained, would the crack motivation be the same?
  • RE: Zappos breach highlights fragile password, personal data security

    As I mentioned in two replies - what this REALLY should highlight is why retailers are allowed to have a policy of retaining anyone's credit card information!!! If that information is not retained, the hack motivation will be greatly reduced, and we would be much less exposed to the risk of financial value and personal identity loss. We can't seem to get it though our lazy heads that convenience breeds carelessness!
  • RE: Zappos breach highlights fragile password, personal data security

    This issue is NOT about personal passwords, except that those affected must now change their password(s). THE ISSUE is ZAPPOS for their GROSS lack of security that permitted the breach to take place. So beat up on Zappos at least 24 million times, which won't even begin to make up for harm caused (yet to be caused) on the 24 million customers!!!
  • KeePass All the way!

    http - keypass dot info. I am a zappos user and didn't sweat. My password was a 15 digit, alpha numeric, case sensitive password with special characters unique to zappos. I don't even know what it was because I copied and pated it from my blowfish encrypted keepass file each time. It is easy and free. Its on PC, Mac, iphone, android, linux, whatever.