Online shoe and apparel shop Zappos, now owned by Amazon, reported earlier this week that 24 million users names, e-mail addresses, billing and shipping addresses, phone numbers, and the last four digits of credit card numbers may have been illegally accessed. In response to this breach, Zappos has expired and reset all passwords. They have also temporarily foregone using their 800 number phone service in an effort to redeploy customer-service representatives to respond to customer email.
Zappos CEO Tony Hsieh posted an open letter online to Zappos employees about a “cyberattack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky.” In this open letter, Hsieh wrote, “The most important focus for us now right now is the safety and security of our customers’ information.
Now, four days and counting after Zappos revealed user details had been breached in a digital intrusion, the company is still blocking access to Zappos.com from outside the U.S. In one tweet from a Zappos customer service representative, Rick Duggan apologized for the inconvenience, said that service had been restored to the United Kingdom and was “rolling out to other locations.”
Zappos says the attacker likely gained access to customer name, email address, billing and shipping addresses, phone numbers, the last four digits of the customer card numbers and the customer’s “cryptographically scrambled password.” But other payment data, such as full credit-card and payment information, is not believed to have been accessed by the attacker.
If you are a Zappos or Amazon customer we recommend that you take these steps right away;
- Change your password immediately. If you use this password for other online accounts, change it there as well.
- NEVER respond directly to information requests in emails. Retailers and banks should never ask you to provide sensitive information like your credit card or Social Security number in an email. Even if the email looks official or directs you to a website that appears to be an official company website, do not provide personal information, or login. Instead, contact the company at a well-known, published web address or phone number.
- Check your account statements regularly. Most financial institutions allow you to review your account online. Do a quick check of your credit, savings, and checking accounts. If you see suspicious activity, contact your bank or creditor immediately.