According to an entry posted on the company blog on Sunday, online shoe and clothing giant Zappos has suffered a massive security breach compromising some data on as many as 24 million customer accounts. In an email to employees, CEO Tony Hsieh said the company was attacked by “a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky.” Hsieh also said the company was cooperating with authorities in an “exhaustive investigation.”
Because of the nature of the investigation, the information in this email is being sent a bit more formally, and unfortunately we are not able to provide any more details about specifics of the attack beyond what is in this email and the link at the end of this email, but we can say that THE DATABASE THAT STORES OUR CUSTOMERS’ CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED.
Below the notice to employees, Hsieh attached the text of the email sent to customers. Zappos account holders were advised that unauthorized access had been gained to “one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).”
Customers were advised–capslock advised, no less–to “PLEASE CREATE A NEW PASSWORD,” as one of the company’s security measures was to go ahead and existing passwords.
Zappos also clearly anticipates a huge customer response (perhaps backlash?) to the news:
Due to the volume of inquiries we are expecting, we realized that we could serve the most customers by answering their questions by email. We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren’t capable of handling so much volume. (If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place.)