Zappos was using SHA-2 hash, now working with FBI

Zappos was using SHA-2 hash, now working with FBI

Summary: Zappos Thursday said it was using a SHA-2 cryptographic hash but would not disclose any details about its "cryptographically scrambled" password format in the wake of a breach that forced the company to reset 24 million passwords.

SHARE:
TOPICS: Government US
1

Zappos, digging out from a breach that forced it to reset 24 million customer passwords, Thursday said it was using a SHA-2 cryptographic hash but would not disclose any details about its "cryptographically scrambled" password format.

The company also said in a statement it was working with the FBI as part of an ongoing investigation that included "digital forensics."

"As such, we are unable to provide any additional details about anything related to the investigation" the company said in a statement posted to its Web site.

On Sunday, the online shoe outlet sent an email to its customers saying its systems had been hacked and compromised user data potentially included names, e-mail addresses, billing and shipping addresses, phone numbers, and the last four digits of credit card numbers along with cryptographically scrambled passwords, but not the actual passwords.

Analysts and media speculated on a definition for "cryptographically scrambled" with some saying it was a vacant term.

Thursday's statement said: "When a password is saved in our system, it is altered for the purpose of being unintelligible to other parties. This is what our email to customers was referencing when it stated that "your cryptographically scrambled password (but not your actual password)" was possibly accessed.

Regardless, Zappos reset every customer's password and forced them to go back and create a new one. CEO Tony Hsieh in Sunday's email advised users to change their passwords on any other web site where they used the same or similar credentials.

In the status update late Thursday, Zappos said "For security reasons, we are unable to disclose any specific details about the "cryptographically scrambled" format used for Zappos customers' passwords, aside from confirming that we used a SHA-2 cryptographic hash function."

SHA stands for Secure Hash Algorithm. SHA-2 consists of a set of four hash functions, which are like a tamper-resistant seal. Cryptographic hash functions can be used in digital signatures, message integrity and other forms of authentication.

Secure Hash Algorithm was designed by the National Security Agency (NSA).

In the fallout from the breach, Zappos, and parent company Amazon, have been sued by a Texas woman alleging that the release of personal account information harmed her and 24 million  other Zappos customers.

Topic: Government US

About

John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • RE: Zappos was using SHA-2 hash, now working with FBI

    I'm not sure what all the hubbub is about. It sounds like Zappos was using good policy by scrambling passwords with SHA-2. Usually the clear password would be combined with the user name (which is unique), and possibly other data, and then run through the SHA-2 algorithm to generate the unique scrambled password. That way, even if two users had the same password, the SHA-2 hash would not match. It would make it very difficult to use a brute force attack to get even ONE password, much less many. Users should not be concerned here, unless Zappos is not telling the whole story.
    pleskinen