An Amazon footwear subsidiary has reported an estimated 24 million customers are affected by a security breach. But while it’s only the sloppy password brigade who’ll suffer among the public, it’s Zappos itself that’s getting the most hassle.
The hacking itself is the same old, same old: somebody’s gained access to a company server in Kentucky and accessed the database containing customer details. These include names, e-mail addresses, physical addresses, phone numbers and the last four digits of card numbers. The database also contains encrypted passwords, though there’s no word yet on what level of encryption was used and how quickly (if it all) they can be cracked.
The good news is that the full length credit card numbers, expiry dates and other details are in a separate database that remains secure and was not accessed. For customers then, the only immediate danger remains if they use the same e-mail address and password combination on other sites, and more to the point, if those other sites allow access to sensitive information.
Aside from being hacked in the first place, Zappos seems to have done a model job of dealing with the fallout, which only goes to show how — even when a company hasn’t lost cash directly — the sheer task of dealing with potentially 24 million customers suddenly asking “what the hell?” can be a major disruption in itself.
The company has sent out the expected explanatory e-mail. It’s also reset all passwords, then created a separate web page (clearly signposted from across its entire site) for those who want to change their password again. It’s also stressed that it won’t be asking for any user details via e-mail, an attempt to stave off potential phishing scams.
Zappos has also decided to simply shut down its phone lines completely, reasoning that even if a small percentage of customers call it it could be facing switchboard meltdown. Instead it’s redirecting all customers to make queries via e-mail, and has assigned all staff at its headquarters (regardless of their job) to deal with these queries.
It’s also taken the unusual, but logical step of completely shutting its website to overseas visitors; the company doesn’t ship overseas and thus has clearly decided that there’s no point letting whatever traffic it gets outside the US reduce the chances of anxious customers getting on the site.