In a Jan. 15 blog, Zappos said that someone hacked into its internal network and systems through one of the company’s servers in Kentucky. The hacker was able to access customer names, email addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers, and encrypted passwords.
Zappos stressed that the database that stores customers’ full credit card numbers and other payment information was not breached. The company said it is cooperating with law enforcement in investigating the incident.
The company voided existing passwords for affected customers and directed them to create a new password.
Zappos has turned off its phones and is directing customers to contact the company only by email because its phone system is not able to handle the expected volume of customer inquiries about the breach.
“We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident”, lamented Tony Hsieh, chief executive officer at Zappos.
Commenting on the Zappos breach, Neil Roiter, director of research with Corero Network Security, predicted that the hacker might use the information to launch phishing attacks.
"Imagine millions of customers receiving a phishing email with their billing address, phone number and the last four digits of their credit card number. Only a small percentage have to take the bait to make for a very effective and profitable criminal phishing campaign", Roiter observed.