Amazon has warned users of its Zappo shoe store that it has reset their passwords, after names, email adresses and other personal information stolen by hackers.
The announcement of the hack was initially made to Zappo employees in an email that was also posted on the official website. It reads: "We were recently the victim of a cyber-attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky."
"We are co-operating with law enforcement to undergo an exhaustive investigation."
The problem with incidents like this is password re-use. If you have a Zappo account with a password or email you've also used elsewhere, you should make sure to change it as well, as it wouldn't take much for someone to use your Zappo information to take over other accounts.
BBC Newshas a statement from CEO Mr. Hsieh which reads: "We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident."
Update: More information is emerging about the incident and it's now been confirmed by security firm Sophos, that Zappo has turned off its phone lines for fear that it wouldn't be able to deal with customer complaint calls. According to the staff concerning email sent after the hack, if just 5 per cent of customers complained, it would result in over a million calls, something the staff simply can't handle.
Instead, customers are being directed to complain or request assistance via email. Why you would need to get help to change a password I don't know, but if you're looking for information, it'll be best to wait for the official statements as there's no way to know you're getting anything personalised at a time like this.
The Sophos blog post points out another eyebrow raising move by Zappo: the fact that it blocks the security message to anyone outside of the US. There's also no mention of the hack on the homepage, which isn't massively surprising, but a good will move by the shoe seller would be to publicise the attack as much as possible. If companies learned anything from Sony's botched PR efforts around its hack last year, it should be to act fast and honestly.
The shoe seller and Amazon have stated there is apparently a slight chance "the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password)" were stolen. However, another statement from Mr. Hsieh mentioned that no financial or payment details had been compromised.
Started in 1999, Zappo quickly grew into one of the dominant online retailers for footwear, generating over a billion dollars in revenue during 2008. A year later, Amazon began courting the higher ups, eventually securing a buyout deal by the end of 2009 for a reported $1.2 billion in cash and stock.