Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: Zappos Breached - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Zappos Breached

The online retailer Zappos announced yesterday a breach to their systems and has expired all password accounts on zappos.com.  There is a letter to employees from Zappos CEO available on zappos.com.[1]  They are urging all customers to change their zappos account password immediately [2], also do so on accounts elsewhere if your password is in sync.  

It is also being reported they have turned off company phones and request inquires be sent to email, as their phone system capacity is not capable of the high volume.[3]   ISC Handlers outside the US have reported they are unable to get to the Zappos.com sites.  It appears they have opened things back up for some non-US traffic, but all traffic is not open as of this writing.

I have not read any report on this issue that indicates what day the incident was discovered.  There are also no avaialble details on how long the breach was active before being discovered by Zappos staff.  However, if basic incident handling protocols are being used for this incident, then it appears the discovery of the incident is only "days" old, and not "weeks" or more.  If this is true, I applaud Zappos for coming clean as quickly as possible.  Far too many companies wait too long to notify their customer base. 

If anyone has details they can share or reports that provide any further info, then feel free to post a comment or send it in to us directly.    

[1] http://blogs.zappos.com/securityemai
[2] http://www.zappos.com/passwordchange
[3] http://www.eweek.com/c/a/Security/Zappos-Latest-Company-Hit-by-Data-Breach-581979/
  

--
Kevin Shortt
ISC Handler on Duty

 

Kevin Shortt

81 Posts
ISC Handler
This also affected zappos.com's 6pm.com retail site. I received the notice yesterday. Funny thing is I just bought shoes there about a week ago!
Anonymous
The pastebin link is here: 1. http://pastebin.com/HhaPZ1BE

"Linux http://TMobileWebServer1.cl.datapipe.net 2.6.18-194.26.1.el5 #1 SMP Fri Oct 29 14:21:16 EDT 2010 x86_64"


This was published to Pastebin on the 14th of this month but the records listed show the compromise happened on October 29th. Looks like they are kind of late to the show.
Anonymous
Just spoke to someone who had their credit card number lifted after a Zappos charge over a month ago. I was told this was the only charge on the card. Could they have been hacked longer than just a few days ago? Could the hack have come from an internal source?
Anonymous

Thanks for the comments.

JColorossi: The link shows T-Mobile info. Am I missing the relevance?

ChanceyGardener: They could have been hacked longer AND known for more than a few days. However, there are a indicators that support the knowledge is only a few days old. That being said, nothing confirms it to date.

Sadly, it is very common for these types of breaches to go undetected for some time first, before being addressed.

-Kevin

Kevin Shortt

81 Posts
ISC Handler
The site was blocking access by international visitors, including Canada. Today (Tuesday morning) we Canadians are allowed back in, I don't know if any other countries are allowed.

The ban on access had included barring access to the outage information and password reset pages.

Andrew

41 Posts
Zappos is giving everyone a lesson on managing a data breach that everyone who may ever have to deal with the problem should look to for guidance. There is a lot to be learned. People understand that such things happen and, unless you've been egregiously lax in protecting their account information, will give you the benefit of the doubt. How you respond to the crisis will be what determines whether or not the issue is resolved with minimal damage or it deteriorates into a PR disaster.

As I said, Zappos is giving us a real-time lesson on how to do crisis management properly and we should all be taking notes. For a more detailed analysis: <a href="http://blog.unibulmerchantservices.com/zappos-is-giving-us-a-lesson-on-managing-a-data-breach">http://blog.unibulmerchantservices.com/zappos-is-giving-us-a-lesson-on-managing-a-data-breach</a>
Andrew
1 Posts

Sign Up for Free or Log In to start participating in the conversation!