Zappos breach highlights fragile password, personal data security

Zappos.com resets 24+ million user passwords after hackers attack its servers. The incident reveals once again the frailty of passwords, especially when used across sites, and that the long-term value to hackers of other personal information stored online is higher than credit card numbers.
Written by John Fontana, Contributor

Another breach, another reminder that personal data created and stored on the Internet is often more valuable than credit card numbers and that when compromised can have much more damaging consequences.

This time it was Zappos.com joining the ranks of Sony, Gawker, rootkit.com and many others who have lost account passwords and other data to hackers.

Zappos has reset 24+ million passwords exposed during a hack of its systems Sunday, sending its users scrambling to create new passwords.

In an email, Zappos CEO Tony Hsieh also advised users to change their passwords on any other web site where they used the same or similar credentials. And he called out possible phishing scam exposure by reminding users that Zappos.com "will never ask you for personal or account information in an e-mail."

But passwords and phishing are not the only user exposures. Experts say other personal data compromised in the Zappos attack could be combined to present a wealth of possibilities for personal attacks on end-users.

In his email Hsieh said compromised user data potentially included names, e-mail addresses, billing and shipping addresses, phone numbers, and the last four digits of credit card numbers along with cryptographically scrambled passwords, but not the actual passwords.

"It's pretty easy if you have an electronic data set to break all but the most rigorous [password] encryption," says Fred Cate, director of the Indiana University Center for Applied Cybersecurity Research. A Zappos PR spokeswoman said she could not provide information on encryption levels the company uses.

"So if you suddenly had names, last four digits and passwords, you would have a real treasure trove," said Cate. "Then the most logical attack is not phishing, it is attacking those accounts where the user already does business."

Cate said hackers would have enough data "for one person to start to impersonate another person. Or for one person to impersonate a business trying to contact a legitimate customer."

Imagine being contacted about an account six months after a breach by someone who had the last four digits of your credit card, your name and your address.

"I would find it really hard to immediately be suspicious of that," said Cate, who specializes in privacy, security, and other information law issues. "Those are all the indicators we teach people to know that a legit person is trying to contact them."

Cate tempered his comments by saying so far these big breaches have not resulted in waves of fraud. "The first thing is don't panic," he said.

Hsieh in his email tried to temper panic. "I suppose the one saving grace is that the database that stores our customers' critical credit card and other payment data was not affected or accessed."

While that may be a relief to some who could suffer a $50 fee to cover fraudulent card use, it ignores the larger issue Cate raises and that Hsieh only hints at in his email.

The credit card industry has had policies for years to deal with stolen accounts. Those same institutional controls, however, don't exist for email addresses, weak passwords and reuse of passwords.

"It is a constant reminder as we move to a world were our lives are completely mediated by data, those data are not yet under control," Cate says. "That should offer caution. This time it was a shoe seller, the worst might be some financial fraud. But what happens when it is data that controls your eligibility to work or to fly."

Cate says he is a huge user and believer in technology, "but at the end of the day we are headed down a path we are not ready for in terms of implementing security."

Statistics show just how far things need to go. A November 2011 study by Splashdata revealed the two most popular passwords last year (and for many previous years dating into the 1990s) were "password" and "123456."

Research late last year by Joseph Bonneau, a PhD. student with the Security Group at the University of Cambridge Computer Laboratory, found that among customers of the Gawker and rootkit.com sites whose passwords were stolen and exposed, 76% used the same password at both sites. The Gawker breach involved 1.3 million passwords while rootkit.com had 81,000.

Editorial standards