Several news organizations and USA Today reported about the data breach at Zappos.com, an online shoe and clothing retailer. Identity thieves hacked into the Zappos website and stole the names, street addresses, email addresses, telephone numbers, the last 4 digits of credit card numbers, and the online passwords of 24 million customers.
The Zappos CEO advised his employees via email that affected customers would receive the following notice, which read in part:
"... there may have been illegal and unauthorized access to some of your customer account information on Zappos.com... The secure database that stores your critical credit card and other payment data was NOT affected or accessed. For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password. We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail... We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the "Create a New Password" link in the upper right corner of the web site and follow the steps from there..."
While the company has reset online passwords and notified affected customers about how to create stronger passwords, the types of personal data stolen are sufficient for identity thieves to create plenty of damage. The damage can include spam using stolen email addresses, spam to/from linked mobile phone numbers, and further hacking into consumers online accounts.
How might further hacking happen? Too many consumers still use the same password for all of their online accounts. Simply, identity theives could access your debit/credit card numbers at other online retailer or bank accounts where you use the same password.
It is important for consumers to remember that identity criminals are persistent and re-sell stolen personal information. So, the thieves that attempt to hack into your online accounts probably won't be the same thieves that stole your personal information. Re-sold stolen personal information creates a situation where many thieves can ultimately create further damage.
- Immediately change your passwords at other online accounts/retailers where you have used the same password you used at Zappos.com,
- Change your online passwords every 90 days,
- Don't use the same password for all of your online accounts,
- Don't use passwords that are easily guessable, or match items on your profile page at Facebook or other social networking website,
- Learn how to create strong passwords,
- Don't use any passwords on this list, and
- Learn how to protect your sensitive personal information at public WiFi locations.
Addendum - January 18: After further consideration, I found the above breach notice and response by Zappos far from satisfactory for consumers. Their response assumes breach victims won't experience any identity fraud, since their message does not include any instructions about what consumers should do if they do experience identity fraud. And, the Zappos breach notice does not seek to explain to their customers the final results of their breach investigation, including why a breach like this won't happen again. The whole event can be summed up as "ooops, we lost a few passwords. reset them and everything will be okay." Not necessarily so.
Addendum - January 19: At least one lawsuit has been filed again Zappos and its parent company, Amazon.com.