Zappos Hacked, Security Email Asks Users To Change Passwords

Martin Brinkmann
Jan 16, 2012
Updated • Jan 16, 2012

Zappos yesterday notified all of their employees and customers that a company server has been compromised. The email, accessible online only for visitors from the US, indicates that the attackers may have gotten hold of part or all of the customer account database of Information that may have been retrieved by the attacker include customer names, email addresses, billing and shipping addresses, phone numbers, the last four digits of the credit card number and encrypted passwords.

Tony Hsie, Zappos' CEO, notes that the credit card and payment database has not been affected or accessed by the attacker.

While not in immediate danger, customers are asked to change their account passwords at the next possible moment to protect their accounts from unauthorized access. If the attackers managed to dump the account username and password, they have likely started to decrypt the passwords with the help of dictionary lists and brute forcing. The attackers cannot use the information directly on the Zappos site though, as passwords have been reset by the company. Customers are asked to create a new password by "clicking on the "Create a New Password" link in the upper right corner of the web site and follow the steps from there". It is alternatively possible to open the Password Change page right away on the website which leads to the create a new password page.

Zappos notes that users should change passwords on other websites if they have used the same password for accounts on those sites. If the attackers manage to decrypt the passwords, they could try to log into email accounts or other popular web services.

We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.

Resetting more than 24 million customer passwords must have not been an easy decision for the company CEO. Other hacked companies have reacted differently in the past, for instance by only emailing their customers about the breach and asking them in the email to change their account passwords. The better safe than sorry approach seems to be better suited for these kind of situations. What's your take on the news, and do you think that Zappos made the right move?


Previous Post: «
Next Post: «


  1. DB said on January 20, 2012 at 5:18 am

    I received the email from Zappos and changed my hotmail/windows live p and other passwords immediately. Today when I went to log in to hotmail, it forced me to change my password and this has never happened to me before. A friend who also received the Zappos email notification had this same thing happen to her. Is the Zappos hack and forced password reset connected? Did hotmail search their servers for Zappos users and proactively force password changes? Or, alternatively, did someone try to access my account and did this trigger the force change page? Or is this just a coincidence. It was legitmately the hotmail log-in page, I did not follow a link in any email.

    1. Karen said on January 27, 2012 at 12:32 am

      Ditto on the forced hotmail password change; I am wondering the same … whether the Zappos email triggered Hotmail/MSN Live to force the password change.

  2. Roy said on January 17, 2012 at 2:12 am

    Personally I think they took the right move in resetting all the passwords – just emailing people to ask them to change them isn’t good enough – some people (probably the ones with weak passwords in the first place) don’t care enough about security to bother…

    If a company screws up it’s the company that should secure all the accounts so well done Zappos/Amazon (but shouldn’t have happened of course).

  3. ilev said on January 16, 2012 at 7:25 pm

    Zappos is part of Amazon. So if you use the same password on both sites beware.

  4. Dan said on January 16, 2012 at 5:40 pm

    I think that Zappos should have better secured their server in the first place. Unfortunately, we are likely to hear of more and more such attacks, so now is probably a good time to make the switch to KeePass or similar password manager and a new strategy for securing login information.

  5. VT said on January 16, 2012 at 4:46 pm

    Looks like 6pm got hacked too or both are linked, got an email from them to reset the password. Logged in to their website saw the message displayed there to reset the password. Hope there site is not compromised to even announce that in their own site :)

    Have a nice day.

  6. DanTe said on January 16, 2012 at 4:28 pm

    Considering that I’m a Zappos customer, I find it curious that I’ve received no email as of yet.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.