ie8 fix

Identity Matters

John Fontana
Home / News & Blogs / Identity Matters

Zappos was using SHA-2 hash, now working with FBI

By | January 19, 2012, 5:00pm PST

Summary: Zappos Thursday said it was using a SHA-2 cryptographic hash but would not disclose any details about its “cryptographically scrambled” password format in the wake of a breach that forced the company to reset 24 million passwords.

Zappos, digging out from a breach that forced it to reset 24 million customer passwords, Thursday said it was using a SHA-2 cryptographic hash but would not disclose any details about its “cryptographically scrambled” password format.

The company also said in a statement it was working with the FBI as part of an ongoing investigation that included “digital forensics.”

As such, we are unable to provide any additional details about anything related to the investigation” the company said in a statement posted to its Web site.

On Sunday, the online shoe outlet sent an email to its customers saying its systems had been hacked and compromised user data potentially included names, e-mail addresses, billing and shipping addresses, phone numbers, and the last four digits of credit card numbers along with cryptographically scrambled passwords, but not the actual passwords.

Analysts and media speculated on a definition for “cryptographically scrambled” with some saying it was a vacant term.

Thursday’s statement said: “When a password is saved in our system, it is altered for the purpose of being unintelligible to other parties. This is what our email to customers was referencing when it stated that “your cryptographically scrambled password (but not your actual password)” was possibly accessed.

Regardless, Zappos reset every customer’s password and forced them to go back and create a new one. CEO Tony Hsieh in Sunday’s email advised users to change their passwords on any other web site where they used the same or similar credentials.

In the status update late Thursday, Zappos said “For security reasons, we are unable to disclose any specific details about the “cryptographically scrambled” format used for Zappos customers’ passwords, aside from confirming that we used a SHA-2 cryptographic hash function.”

SHA stands for Secure Hash Algorithm. SHA-2 consists of a set of four hash functions, which are like a tamper-resistant seal. Cryptographic hash functions can be used in digital signatures, message integrity and other forms of authentication.

Secure Hash Algorithm was designed by the National Security Agency (NSA).

In the fallout from the breach, Zappos, and parent company Amazon, have been sued by a Texas woman alleging that the release of personal account information harmed her and 24 million  other Zappos customers.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Identity Matters”

Topics

Password, FBI, Zappos, SHA-2, John Fontana

John Fontana is a journalist focusing in identity, privacy and security issues. Currently, he is the Identity Evangelist for cloud identity security vendor Ping Identity, where he blogs about relevant issues related to digital identity.

Disclosure

John Fontana

First and foremost, John is employed as an Identity Evangelist by Ping Identity, which provides cloud identity security software to enterprises and cloud service providers. In his role, he tracks the identity industry and relevant issues. He does not have financial interests in any companies he covers, and opinions expressed are his own.

Biography

John Fontana

John Fontana is a journalist focusing in identity, privacy and security issues. Currently, he is the Identity Evangelist for cloud identity security vendor Ping Identity, where he blogs about relevant issues related to digital identity. Prior to Ping, John spent 15 years as a senior reporter for a variety of publications, including Communications Week, Internet Week and Network World, where he focused on enterprise topics including collaboration, directories, network infrastructure, databases, open source, ERP and security. He covered IBM, Microsoft, Cisco, Oracle, Red Hat, Google among other enterprise vendors. His work has also appeared in the New York Times, CNN, CIO and Mashable.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
1
Comments
Add Your Opinion

Join the conversation!

0 Votes
+ -
RE: Zappos was using SHA-2 hash, now working with FBI
pleskinen 20th Jan
I'm not sure what all the hubbub is about. It sounds like Zappos was using good policy by scrambling passwords with SHA-2. Usually the clear password would be combined with the user name (which is unique), and possibly other data, and then run through the SHA-2 algorithm to generate the unique scrambled password. That way, even if two users had the same password, the SHA-2 hash would not match. It would make it very difficult to use a brute force attack to get even ONE password, much less many. Users should not be concerned here, unless Zappos is not telling the whole story.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix