Zappos, the online retailer, posted a message
on its website Sunday evening to their employees, detailing the magnitude of the data breach and the steps being taken to mitigate the problem.
A copy of the email being sent to the customers whose accounts were hacked is included in the message (in the link above) Important to note is that while the passwords, name, email, shipping and billing addresses, phone numbers and only the last four
digits of any credit card numbers held in the Zappos servers.
Zappos is also trying to reassure customers that the full credit card numbers have not been compromised in the data breach. The full credit card numbers were not accessed according to the statement by Tony Hsieh, the CEO of Zappos. The full credit card numbers were apparently stored elsewhere in the Zappos system.
report notes that the cyber-attack occurred at a server in Kentucky, USA.
While the passwords were stolen, they were in a cryptographic form which may be difficult for the hackers to use. Nonetheless, Zappos has expired and reset all passwords for all of their customers and that will force every customer to change their password before using the site again. All communication with Zappos in regard to questions from customers for a time will need to be handled by email, Zappos acknowledged they didn't have the capacity to accept the calls from even five percent of their customers, which would have been more than a million calls.
Zappos is urging all of their customers to change their password at other websites if the same password was used on secondary sites.
With twenty four million customers affected, this isn't the largest data breach to have occurred, but it is an extremely large data loss.
One of the largest and most recent cyber-attacks resulting in the loss of customer data was the Sony PlayStation attack last year, in that attack it is reported
that 77 million accounts were breached.