Thoughts For Today
Several Websites Are Dark Today To Protest SOPA And PIPA

Zappos Data Breach Affects 24 Million Consumers

Several news organizations and USA Today reported about the data breach at, an online shoe and clothing retailer. Identity thieves hacked into the Zappos website and stole the names, street addresses, email addresses, telephone numbers, the last 4 digits of credit card numbers, and the online passwords of 24 million customers.

The Zappos CEO advised his employees via email that affected customers would receive the following notice, which read in part:

"... there may have been illegal and unauthorized access to some of your customer account information on The secure database that stores your critical credit card and other payment data was NOT affected or accessed. For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password. We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that will never ask you for personal or account information in an e-mail... We have expired and reset your password so you can create a new password. Please create a new password by visiting and clicking on the "Create a New Password" link in the upper right corner of the web site and follow the steps from there..."

While the company has reset online passwords and notified affected customers about how to create stronger passwords, the types of personal data stolen are sufficient for identity thieves to create plenty of damage. The damage can include spam using stolen email addresses, spam to/from linked mobile phone numbers, and further hacking into consumers online accounts.

How might further hacking happen? Too many consumers still use the same password for all of their online accounts. Simply, identity theives could access your debit/credit card numbers at other online retailer or bank accounts where you use the same password.

It is important for consumers to remember that identity criminals are persistent and re-sell stolen personal information. So, the thieves that attempt to hack into your online accounts probably won't be the same thieves that stole your personal information. Re-sold stolen personal information creates a situation where many thieves can ultimately create further damage.

Experts advise:

Addendum - January 18: After further consideration, I found the above breach notice and response by Zappos far from satisfactory for consumers. Their response assumes breach victims won't experience any identity fraud, since their message does not include any instructions about what consumers should do if they do experience identity fraud. And, the Zappos breach notice does not seek to explain to their customers the final results of their breach investigation, including why a breach like this won't happen again. The whole event can be summed up as "ooops, we lost a few passwords. reset them and everything will be okay." Not necessarily so.

Addendum - January 19: At least one lawsuit has been filed again Zappos and its parent company,


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.