Got wind (via Twitter) this evening that Zappos.com was hacked. The CEO, Tony Hsieh posted a letter to staff regarding the incident online. Oddly they were blocking international access to the page for some odd reason.
So, I sent out a call for help to the good folks on Twitter and was able to get a copy of the posting from the Zappos site. Thanks to Jared, Jacob, Brian, DM, Ed, lolunix and so on. I really appreciate the assist.
From Pastebin:
SECURITY EMAIL
The following email was sent to our employees today:Subject: Important – Security
Dear Zappos Employees -Please set aside 20 minutes to carefully read this entire email.We were recently the victim of a cyber attack by a criminal who gainedaccess to parts of our internal network and systems through one of ourservers in Kentucky. We are cooperating with the FBI to undergo anexhaustive investigation.Because of the nature of the investigation, the information in this emailis being sent a bit more formally, and unfortunately we are not able toprovide any more details about specifics of the attack beyond what is inthis email and the link at the end of this email, but we can say that THESECURE DATABASE THAT STORES OUR CUSTOMERS’ CRITICAL CREDIT CARD AND OTHERPAYMENT DATA WAS NOT AFFECTED OR ACCESSED.The most important focus for us is the safety and security of ourcustomers’information. Within the next hour, to ensure a greater level of security,wewill begin the process of notifying the 24+ million customer accounts inourdatabase about the incident and help step them through the process ofchoosing a new password for their accounts. (We’ve already reset andexpiredtheir existing passwords.)Here is the email that our customers will be receiving:
————————————————————————-
Subject: Information on the Zappos.com site – please create a new password
First, the bad news:We are writing to let you know that there may have been illegal andunauthorized access to some of your customer account information onZappos.com, including one or more of the following: your name, e-mailaddress, billing and shipping addresses, phone number, the last fourdigits of your credit card number (the standard information you find onreceipts), and/or your cryptographically scrambled password (but not youractual password).
THE BETTER NEWS:The secure database that stores your critical credit card and otherpaymentdata was NOT affected or accessed.
SECURITY PRECAUTIONS:For your protection and to prevent unauthorized access, we have expiredandreset your password. Please see the link at the end of this message tocreate a new password.As always, please remember that Zappos.com will never ask you for personalor account information in an e-mail. Please exercise caution if youreceiveany emails or phone calls that ask for personal information or direct youtoa web site where you are asked to provide personal information. We alsorecommend that you change your password on any other web site where youusethe same or a similar password.PLEASE CREATE A NEW PASSWORD:We have expired and reset your password. Please create a new password byclicking on the link below: http:// [we will provide a secure, unique link for each customer]We sincerely apologize for any inconvenience this may cause. If you haveanyadditional questions about this process, please email us atpasswordchange@zappos.com
————————————————————————-
We have also created a web page that we will continue to update as welearnmore about what questions customers have: http://www.zappos.com/passwordchange
In order to service as many customer inquiries as possible, we will beasking all employees at our headquarters, regardless of department, tohelpwith assisting customers.Due to the volume of inquiries we are expecting, we realized that wecouldserve the most customers by answering their questions by email. We havemadethe hard decision to temporarily turn off our phones and direct customerstocontact us by email because our phone systems simply aren’t capable ofhandlingso much volume. (If 5% of our customers call, that would be over 1millionphone calls, most of which would not even make it into our phone systemin thefirst place.)We’ve spent over 12 years building our reputation, brand, and trust withourcustomers. It’s painful to see us take so many steps back due to a singleincident. I supposed the one saving grace is that the secure database thatstores our customers’ critical credit card and other payment data was notaffected or accessed.Over the next day or so, we will be training everyone on the specifics ofhow to best help our customers through their password change process nowthat their passwords have been reset and expired. We need all hands ondeckto help get through this.
Thanks everyone.-
Date: Sun, 15 Jan 2012
From: Tony Hsieh (CEO – Zappos.com)
To: Zappos Employees
Subject: Important – Security
Dear Zappos Employees –Please set aside 20 minutes to carefully read this entire email.
We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with law enforcement to undergo an exhaustive investigation.
Because of the nature of the investigation, the information in this email is being sent a bit more formally, and unfortunately we are not able to provide any more details about specifics of the attack beyond what is in this email and the link at the end of this email, but we can say that THE DATABASE THAT STORES OUR CUSTOMERS’ CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED.
The most important focus for us right now is the safety and security of our customers’ information. Within the next hour, we will begin the process of notifying the 24+ million customer accounts in our database about the incident and help step them through the process of choosing a new password for their accounts. (We’ve already reset and expired their existing passwords.)
Here is the email that our customers will be receiving:
————————————————————————-
Subject: Information on the Zappos.com site – please create a new password
First, the bad news:
We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).
THE BETTER NEWS:
The database that stores your critical credit card and other payment data was NOT affected or accessed.
SECURITY PRECAUTIONS:
For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password.
We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.
PLEASE CREATE A NEW PASSWORD:
We have expired and reset your password so you can create a new password.
Please create a new password by visiting Zappos.com and clicking on the “Create a New Password” link in the upper right corner of the web site and follow the steps from there.
We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at passwordchange@zappos.com
————————————————————————-
We have also created a web page that we will continue to update as we learn more about what questions customers have:
http://www.zappos.com/passwordchange
In order to service as many customer inquiries as possible, we will be asking all employees at our headquarters, regardless of department, to help with assisting customers. Due to the volume of inquiries we are expecting, we realized that we could serve the most customers by answering their questions by email. We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren’t capable of handling so much volume. (If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place.)
We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident. I suppose the one saving grace is that the database that stores our customers’ critical credit card and other payment data was not affected or accessed.
Over the next day or so, we will be training everyone on the specifics of how to best help our customers through their password change process now that their passwords have been reset and expired. We need all hands on deck to help get through this.
Thanks everyone.
-Tony Hsieh
CEO – Zappos.com