Forgot your password?
typodupeerror
Security News

Zappos Hacked: Internal Systems Breached 122

Posted by samzenpus
from the under-the-wire dept.
wiredmikey writes "Zappos appears to be the latest victim of a cyber attack resulting in a data breach. In an email to Zappos employees on Sunday, CEO Tony Hsieh asked employees to set aside 20 minutes of their time to read about the breach and what communications would be sent to its over 24 million customers. While Hsieh said that credit card data was not compromised, he did say that 'one or more' of the following pieces of personal information has been accessed by the attacker(s): customer names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers. User passwords were 'cryptographically scrambled,' he said."
This discussion has been archived. No new comments can be posted.

Zappos Hacked: Internal Systems Breached

Comments Filter:
  • breach database? (Score:5, Insightful)

    by GuldKalle (1065310) on Monday January 16, 2012 @02:34AM (#38711122)

    Is there a site covering breaches like these? It would be nice to have an easily searched database with number of users, the kind of info that was accessed, the attack vector etc.

    • Re:breach database? (Score:4, Informative)

      by Securityemo (1407943) on Monday January 16, 2012 @02:45AM (#38711160) Journal
      http://datalossdb.org/ [datalossdb.org]
      • Re: (Score:1, Insightful)

        How is this post informative? That site doesn't have anything about the Zappos breach ... or anything that's happened in the last six months. It hasn't posted an update since June, 2011 - and that includes their monthly reports.

        I applaud datalossdb.org efforts to trying to make this data available in one place, but it needs new 'volunteers' (and probably some more donations).
    • by Anonymous Coward

      http://dazzlepod.com/disclosure/
      Their most recent entry: http://dazzlepod.com/stratfor/
      Zappos's not up yet..

    • A good one also would be http://www.databreaches.net/ [databreaches.net] - M

  • by Anonymous Coward on Monday January 16, 2012 @02:38AM (#38711134)

    I hope the cyber police do what they can to find the cyber criminals who committed this cyber crime against Cyber Zappos. After all, Cyber CEO Tony Hsie- oh fuck I can't keep this up.

    Don't call it a cyber attack. It was an attack. This isn't 1996.

    • hahaha! Now I have to watch Angelina Jolie in Hack3rs
      • by lemur3 (997863)

        she has a twenty eight point eight bee pee ess modem!!!

        clearly the problem is availability of 3D glasses... cyber criminals will stop at nothing to defeat corporate giants!

    • by mixmasta (36673) on Monday January 16, 2012 @06:23AM (#38711886) Homepage Journal

      Then the hackers drove away on the INFORMATION SUPERHIGHWAY ... in a YUGO, oops... equivalent of a CYBER-CORVETTE.

    • by Anonymous Coward

      Fuck off. Cyber is the best prefix ever.

      Sincerely,
      William Gibson

    • by SeaFox (739806)

      I hope the cyber police do what they can to find the cyber criminals who committed this cyber crime against Cyber Zappos.

      I'm sure there's a gumshoe on the case already.

    • by drinkypoo (153816)

      Don't call it a cyber attack. It was an attack. This isn't 1996.

      Just be glad they're not calling it an e-Attack.

      How do you suggest the news differentiate the sort of "attack" that results only in a little hard disk thrashing and data transfer from the kind that results in dead bodies, bleeding, running, and screaming?

    • by arose (644256)
      Where do you stand on bank robberies?
  • Other than my email, and the last 4 of my nearly maxed out credit card, that's pretty much all public record anyway.
  • First the bad news.. (Score:5, Interesting)

    by lemur3 (997863) on Monday January 16, 2012 @02:42AM (#38711152)

    from the email going out to customers:
    Subject: Information on the Zappos.com site - please create a new password

    First, the bad news:

    We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

    THE BETTER NEWS:

    The database that stores your critical credit card and other payment data was NOT affected or accessed. ...translation:

    The Bad News is that things are shitty.

    The Good News is that people are learning to love the smell of shit.

    • does cryptographically scrambled mean what I think it does or does he just use the wrong description?

      • by RKThoadan (89437)

        Can you think of a better way to communicate this to John Q. Public?

        • Not really but if they were storing salted password hashes with a sufficient algo he should be able get away with "No actual passwords were revealed"

    • The Good News is that people are learning to love the smell of shit.

      indeed. as one joke in a japanese anime so aptly put it :

      "Even an old man's armpits grow on you with prolonged exposure ...."

      im telling you.... the people making those animes. crazy ....

    • The best news:

      All user IDs are safe unless their passwords are "123456", "ABCDEF", or "password". We *did* ask you to change them from these defaults. If you did not, we suggest you meet with your new 0wners.

  • by Anonymous Coward

    To suss it all out, they'll need to hire a gumshoe...

  • by seifried (12921) on Monday January 16, 2012 @02:50AM (#38711182) Homepage

    Sadly password storage is actually tricky and most places do it wrong (using MD5/SHA1 for example). Covered in Nov 2011 article Storing your passwords properly [linux-magazine.com] (disclaimer: I wrote it, and it's a PDF file). One problem is that even if zappos enforces strong passwords users have a tendency to reuse their strong passwords between sites (you can only memorize so much gibberish or passphrases). Hopefully Zappos learns from this and builds a more resilient system.

    • by dgatwood (11270) on Monday January 16, 2012 @02:56AM (#38711212) Journal

      Like storing authentication information on a separate server from user information. This tends to make the info a lot less useful.

      Ooh. User ID #67215298's password is "correct horse battery staple". Who is user ID #67215298? Uh... we haven't cracked that server yet.

      • by grantek (979387)

        Ooh. User ID #67215298's password is "correct horse battery staple". Who is user ID #67215298? Uh... we haven't cracked that server yet.

        Yes you have.

        • by Threni (635302)

          No you haven't. User ID #67215298's username is Boris1322 but how would the attacker know this?

    • by fliptout (9217)

      Thanks for this.. I've been looking for advice on storing passwords.

    • by Cato (8296) on Monday January 16, 2012 @03:30AM (#38711330)

      Mod parent up, the article is quite good.

      A more general and simpler answer though is to *always use a standard library* - see http://stackoverflow.com/questions/1581610/how-can-i-store-my-users-passwords-safely/1581919#1581919 [stackoverflow.com] for a good answer.

      Also ensure that your password storage is one-way hashed, and *salted* with a random salt (different per user) and uses *password stretching* (i.e. iterates the hashing function thousands of time to make brute forcing much more expensive). See http://slashdot.org/comments.pl?sid=1987632&cid=35150388 [slashdot.org] for more on password stretching including phpass, the gold-standard library for PHP used by WordPress, Drupal, etc.

      Most importantly, never write your own password storage - you are virtually guaranteed to get it wrong. Apart from the above issues, what about timing attacks (Zend has an article about this from PHP perspective.)

      • Did you actually read his article?

        A more general and simpler answer though is to *always use a standard library*

        Except PHP 5.3.7, like he mentions in the article. You can't always trust your libraries

        and uses *password stretching* (i.e. iterates the hashing function thousands of time to make brute forcing much more expensive).

        And where he says in the article how bad of an idea this is, compared to using a work-factor algorithm like bcrypt

        • by Cato (8296)

          I did read the article, although quickly, and I wasn't very impressed with it. See http://slashdot.org/comments.pl?sid=2622556&cid=38711478 [slashdot.org] for some of the errors. The mention of GPUs is really irrelevant to security, and most useful for crackers.

          By "standard library" I really mean something like phpass that is written by developers who are highly security-aware. PHP's built in libraries probably don't qualify on that score.

          phpass will work on almost any version of PHP, and can use MD5 or SHA1 if that

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      I'm going to have to disagree with this statement from your article: "Because hash functions like AES-256 only provide 2^256 possible unique outputs, collisions are obviously possible".

    • by fliptout (9217)

      Python wrapper for bcrypt. Looks like what I need for my project:

      http://code.google.com/p/py-bcrypt/ [google.com]

    • by Anonymous Coward on Monday January 16, 2012 @04:18AM (#38711478)

      You know, I almost posted something when this article was first published but I decided it wasn't worth it. But now that it's come up again in the context of helping people I must say something.

      This article is absolutely full of errors.

      The end recommendation of using bcrypt is fine, but beyond the basic concepts the rest has major problems. A few examples:

      1. AES is not a hash function. It can be used in some constructions to emulate a hash, but you wouldn't just call that AES-256 as you do, nor is it commonly used this way.
      2. "Because hash functions like AES256 only provide 2^256 possible unique outputs..." Only? This would put you at ~2^128 outputs before you could really hope to get a collision (and not a collision with a specific output, just any two outputs colliding). This is WAAAY beyond the resources of all of humanity.
      3. "Brute-forcing older algorithms is definitely possible now (DES and 3DES already fell to brute-force attacks several years ago)." Since when was 3DES brute-forced? I see no evidence that even 2TDEA has been brute-forced, let alone 3TDEA which is what people actually use. Citation greatly needed.

      There are other problems a well, but these are enough to give a taste of the issues.

      • by seifried (12921)

        Sadly I wish it were so

        1. AES is not a hash function. It can be used in some constructions to emulate a hash, but you wouldn't just call that AES-256 as you do, nor is it commonly used this way.

        No but sadly it is used as one. Google results for SHA password storage: 143,000 results, results for AES password storage: 490,000 results. It is commonly used that way.

        2. "Because hash functions like AES256 only provide 2^256 possible unique outputs..." Only? This would put you at ~2^128 outputs before you could really hope to get a collision (and not a collision with a specific output, just any two outputs colliding). This is WAAAY beyond the resources of all of humanity.

        We said the same things about DES/3DES, Moores law, the groth of bot nets, and all that has some interesting side effects

        3. "Brute-forcing older algorithms is definitely possible now (DES and 3DES already fell to brute-force attacks several years ago)." Since when was 3DES brute-forced? I see no evidence that even 2TDEA has been brute-forced, let alone 3TDEA which is what people actually use. Citation greatly needed.

        DES was cracked in 1998 on $250,000 or so of custom hardware, using an average of 4.5 days (so half the key space). In the last 13 years hardware has gotten SIGNIFICANTLY faster and cheaper, from a

        • We said the same things about DES/3DES, Moores law, the groth of bot nets, and all that has some interesting side effects

          A common misunderstanding of Moore's Law is that computers double in speed every 18 months. Were that true and it held true forever, then a 256-bit hash would fall about 100 years after it's 128-bit counterpart. (To those double-checking the math at home: the birthday paradox implies that you only effectively get the strength of half those bits.)

          Horizontally scaling has a much, much worse payoff. Suppose you make a billion (2^30) node botnet running 24/7/365 dedicated to cracking hashes. That would make the

    • One problem is that even if zappos enforces strong passwords users have a tendency to reuse their strong passwords between sites (you can only memorize so much gibberish or passphrases).

      User education is the key here. There's no good reason for re-using passwords, at least for most people. For many years, OS X has included a keychain manager you can use to store passwords and other sensitive information. Gnome offers a similar tool for Linux users, and I know there are third-party Windows programs that do pretty much the same thing. These utilities make it almost trivial to use different strong passwords for all your online accounts - yet relatively few people know they even exist!

      I'm sure

      • Crap, sorry about screwing up closing that bold tag somehow.

      • by CastrTroy (595695)
        I've been using this method for years. I recommend this to everyone I know. But for most people, it is a bit of a hassle. The biggest problem is that you have to keep the file backed up, and you have to ensure that your backup is current. If you lose the file, you have now lost access to all your online accounts. Some people say they keep their file in a DropBox account, but personally, I wouldn't trust my data there. They had a data breach a little while back. Even if I change all my passwords (arduou
    • by fatphil (181876) on Monday January 16, 2012 @05:17AM (#38711672) Homepage
      It's hard to take seriously an article which contains remarks like the dumb:
      "26 letters, 10 numbers, 11 other character keys for a total of 94 characters"
      to the misleading:
      "Because hash functions like AES-256 only provide 2^256 possible unique outputs, collisions are obviously possible".

      It also overlooks the fact that you're increasing your workload by a factor of X in order to increase the attacker's workload by a factor of X. Therefore there is precisely no leverage at all, and it's not really much of a win, that's a break even cost-wise.

      The paragraph beginning "The advantage of bcrypt..." also seems to show that you don't appreciate the difference between a PRP like AES and a PRF like MD5 when it comes to collisions from iterated images. I'm not 100% sure about the logic you're using to lead to the "1000 possible values" claim either. If fact quite the opposite. Are you claiming that if MD5 were iteratd 2^160 times, there would be 2^160 such possible values? (I.e. every input would match a password stored in the rainbow tables.) Sounds bogus, in fact.
      • It's hard to take seriously an article which contains remarks like the dumb:
        "26 letters, 10 numbers, 11 other character keys for a total of 94 characters"

        This part is right: (26 + 10 + 11) * 2 = 94. But yeah, he forgot space so it should be 95.

        • by emt377 (610337)

          This part is right: (26 + 10 + 11) * 2 = 94. But yeah, he forgot space so it should be 95.

          26 uppercase, 26 lowercase, 10 digits, 12 punctuation/space = 74.

          My problem is requirements like, "One uppercase, two digits, one punctuation, 8-20 characters." You know people will use exactly this and nothing else, at close to the minimum length. So for an 8-char password you get 26*26^4*10^2*12 combinations. However, if you just let people use 8 lowercase chars you get 26^8, which is 14 times as big. In addition, by outright banning punctuation and digits it's no longer possible to search a smaller

          • 26 uppercase, 26 lowercase, 10 digits, 12 punctuation/space = 74.

            No, the digit keys all have special characters when you hold shift, and the 11 special character keys all have 2 choices as well, so there are 33 special characters on the keyboard including space. That's 95 total. Look at your keyboard and count them.

            I think this throws off the rest of your calculations. The 43 numbers and punctuation together are a lot more than the 26 lowercase letters. And you failed to take into account that, even when done in a stupid way, people are likely to switch around the or

            • by fatphil (181876)
              "Look at your keyboard and count them."

              13 of my keys have 3 symbols, and 1 has 4 symbols. My total will be different from yours. Mine will even differ from that of others in the same country as me, as we have 2 very different standard keyboard layouts for the two different linguistic groups in the country.
          • Even worse than that, I so often see websites that give you a *maximum* password length of somewhere be 12-20 characters and even forbid the use of anything but letters and numbers. My password *must* be between 8-12 characters? What the hell good is that? I always wonder "What's the point of forcing me to pick a strong password then?" It'll be strong enough for any sort of remote brute-force attack, but one assumes just about any password other than 12356 works for that since most sites limit you to ~3-5 l

        • by fatphil (181876)
          Where does the unstated *2 come from? Is that some US-centric there-are-only-two-symbols-per-key, the unshifted and the shifted, assumption which is inappropriate for 90% or more of the world? (Even the UK would typically have the pound sign, which isn't ASCII, as a shifted character, so the assumption doesn't even hold in the UK.) And why is a comment about security even focussing on one specific implementation of an input device anyway? The character set that's available to me when I use my N9 is differen
          • Because the linked article you were complaining about specified a calculation prefaced with "suppose you want to precompute the hash values for all valid characters on a US-English keyboard", about the amount of storage needed for a rainbow table. Of course there were other errors in the article, but you picked on a relatively minor part that was correct. UK keyboards have something like 13 more characters than the US one, which increases the number of possible 8-char passwords using the keys on the keybo

    • by gweihir (88907)

      Nothing wrong with using MD5 or SHA1, as long as you iterate and salt competently. Of course, using, e.g., PBKDF2 is better, as it avoids convergence. Still, if passwords are bad, all this does not help a lot.

    • by emt377 (610337)

      Sadly password storage

      The issue isn't password storage, but credit card information. Nobody cares if their password is broken; it's pretty easily changed. Handling CC information securely is far more difficult than basic account information and secure password authentication.

      CC information needs to be stored in a physically separate server which has no web servers or accept remote logins, but use entirely internal, minimal protocols that omit any possibility of read access to data. All operations need to task-based; no setter

  • Is 6PM.COM a part of ZAPPOS? Because they just sent a similar announcement.
  • by I'm Not There (1956) (1823304) on Monday January 16, 2012 @04:13AM (#38711456)

    Shit happens, the way handle crisis is what matters. Zappos was very open about this, sent me an email, asked me to change password, set up new email addresses and web pages for this problem and questions that customers may have, and announced the issue quickly.

    I wish more companies would act like this.

    • My wife tried to order shoes tonight, and first the site insisted she change her password. Then it took -forever- for the address/payment info to appear before it would let the order go through. Trying to phone them got a "We're sorry - we cannot take your call at this time" recording - *very* unusual for Zappos. Makes me think this has them pretty bent out of shape. Wish I'd seen this before she placed the order. We may be buying some slimeball a lot of shoes...
      • They explicitly said they turned off their phone lines because the Cust Service Dept was getting swamped. I can understand that actually.

        I would like to agree with the GP. They made a mistake, but unlike Sony they handled it well. If it happens again I will probably take my business elsewhere, but for now Im ok with how they responded.

    • by Anonymous Coward

      I wish more companies would act like this.

      No need to wish for this. Words are cheap and security is not, so every day more companies adopt this clever strategy. The genius of this is it not only saves money on useless security but also betters the company's (and its CEO's) image, and if that weren't enough there's also some free publicity.

  • So, they reset your passwords, if you use a few different passwords across sites and don't remember which is which, you can't try any of these to tell which one you did use at the site.

    This seems less secure to me. Resetting the password means you can't tell what password you used there.

    • by SpzToid (869795)

      This is why I try to get my colleagues, many of which are 'normal users' in a volunteer charity website for example, to use Passpack [passpack.com]. I try to teach them to use strong unique passwords for each site they register with; while actually only having to remember about two passwords (and using copy/paste). But also a feature of Passpack (like other similar services, I imagine) is being able to share passwords among a workgroup, in case the server admin gets hit by a bus for example. This solution is the best I've

    • by webheaded (997188)
      Kind of dumb but helpful...I had my password saved in my browser and looked it up there. I'm sure that is insecure as hell though and now that I realize that my browser just throws it out there without encrypting it at all...I'm a bit nervous. As much as I love computers and shit...sometimes I hate them.
      • by higuita (129722)

        In firefox you can set a master password to secure your saved passwords

        • by webheaded (997188)
          I'm more worried about nefarious programs or whatever rummaging through there...not my wife finding the passwords. :p

          Setting a password up for Firefox doesn't do jack shit, as far as I'm aware. That's all stored in an sql-lite db anyway.
          • by blueg3 (192743)

            The passwords aren't stored cleartext in the database, they're encrypted with your master password.

    • by DarkOx (621550)

      If you are doing that you have larger issues. So when a site rejects your password and you, try some others, you are potentially submitting credential pairs which may be valid elsewhere to a compromised host. BAD

      If you don't know what password Zappos had for your account, then you should set new passwords on ALL your accounts.

  • Such a cheerful thing to find waiting for you in your inbox. My email was waiting for me this morning.

    I suppose it is a small price to pay for my semi-orthopedic, little old lady Crocs, the ugliest and most comfortable shoes on the planet.

    Passwords are becoming a bummer.

  • ...what Zappos is. I mean, why not just call it $companyfunction $company. Would it be so much to say what this company with millions of users does/sells?
    • by theswade (2020510)
      Have you considered clicking on the link in the article? The first sentence answers your question.
    • by blop (71154)

      I was wondering exactly the same thing... Slashdot forgets that a lot of readers aren't from the US and don't know anything about US-centric brand names...

    • by Jeng (926980)

      In this day and age it makes little sense to ask another person what something is if you have access to a computer.

      If someone had mentioned this to me in meatspace and I wasn't near the internet I would ask what Zappos is, but you are on the net, it is easier to Google than it is to ask.

      Now if it was something that didn't pull up within the first few links then you would have something to stand on, but Google gets it right with the first link.

    • why not just call it $companyfunction $company

      So do you call this site slashdot, or do you call it uber-geek discussion board slashdot?

  • ...an "Applications Security Engineer" (http://about.zappos.com/jobs) Duties include: "Develop security improvements for the company’s websites and backend applications." Evidently, this position is still unfilled.
  • Back in December there was a Zappo's Rock n' Roll marathon in Las Vegas that drew a lot of ire for its many short comings including running out of food and water, replacing said water with non-potable fire hydrant water making many people sick, overcrowding, disorganized medical response teams, etc. It would not surprise me to learn that some one decided to inflict this attack as retribution. However, that's just speculation. There are plenty of other feasible motives.
  • For those in the Vegas IT/InfoSec community and have heard the stories (or have firsthand experience) of their hiring/screening process, this was only a matter of time. If you are screening out the folks with the hacker/InfoSec mindset (those that think differently/outside the box), are you hiring the best folks for the InfoSec role?

    Seems the 'cool kids club' at Zappo's was not enough to defeat the attackers.

    • by emt377 (610337)

      If you are screening out the folks with the hacker/InfoSec mindset (those that think differently/outside the box),

      They're not thinking outside the box, they're thinking inside a different box. Just hiring someone who thinks inside that particular box isn't by itself sufficient, or rather doesn't guarantee anything beyond basic competence for the job. It's MUCH easier to break into a system than secure it, because you only need one vulnerability. Those who are the best at finding these vulnerabilities typically aren't the same ones who are the best at preventing them. You can't secure a system by trial-and-error (f

      • by emt377 (610337)
        "Often good hackers aren't useful for more than vulnerability testing." ... because their vulnerability-finding box doesn't adequately intersect the system-security-design box.

In 1869 the waffle iron was invented for people who had wrinkled waffles.

Working...