Zappos was using SHA-2 hash, now working with FBI

Zappos Thursday said it was using a SHA-2 cryptographic hash but would not disclose any details about its "cryptographically scrambled" password format in the wake of a breach that forced the company to reset 24 million passwords.
Written by John Fontana, Contributor

Zappos, digging out from a breach that forced it to reset 24 million customer passwords, Thursday said it was using a SHA-2 cryptographic hash but would not disclose any details about its "cryptographically scrambled" password format.

The company also said in a statement it was working with the FBI as part of an ongoing investigation that included "digital forensics."

"As such, we are unable to provide any additional details about anything related to the investigation" the company said in a statement posted to its Web site.

On Sunday, the online shoe outlet sent an email to its customers saying its systems had been hacked and compromised user data potentially included names, e-mail addresses, billing and shipping addresses, phone numbers, and the last four digits of credit card numbers along with cryptographically scrambled passwords, but not the actual passwords.

Analysts and media speculated on a definition for "cryptographically scrambled" with some saying it was a vacant term.

Thursday's statement said: "When a password is saved in our system, it is altered for the purpose of being unintelligible to other parties. This is what our email to customers was referencing when it stated that "your cryptographically scrambled password (but not your actual password)" was possibly accessed.

Regardless, Zappos reset every customer's password and forced them to go back and create a new one. CEO Tony Hsieh in Sunday's email advised users to change their passwords on any other web site where they used the same or similar credentials.

In the status update late Thursday, Zappos said "For security reasons, we are unable to disclose any specific details about the "cryptographically scrambled" format used for Zappos customers' passwords, aside from confirming that we used a SHA-2 cryptographic hash function."

SHA stands for Secure Hash Algorithm. SHA-2 consists of a set of four hash functions, which are like a tamper-resistant seal. Cryptographic hash functions can be used in digital signatures, message integrity and other forms of authentication.

Secure Hash Algorithm was designed by the National Security Agency (NSA).

In the fallout from the breach, Zappos, and parent company Amazon, have been sued by a Texas woman alleging that the release of personal account information harmed her and 24 million  other Zappos customers.

Editorial standards