Waiting For The Other Shoe To Drop – Online Retailer Zappos Hacked
Data breach at big Internet retailer Zappos highlights the need for consumers to take precautions when setting up online shopping accounts in order to better protect their identity.
A server of the Amazon.com-owned online shoe and clothing retailer Zappos was recently breached by hackers. They were able to access the personal data of some 24 million Zappos customers.
According to a letter the company sent out, Zappos informed customers that their account may have been accessed illegally by unauthorized individuals resulting in the possibility that personal information was compromised such as the user’s name, email address, billing address, shipping address, phone number, the last four digits of any credit cards number that was attached to the account and also possibly the account’s “cryptographically scrambled password.” The email went on to explain, somewhat reassuringly,
“The database that stores your critical credit card and other payment data was NOT affected or accessed.”
These days, practically all online retailers have wizened up enough to store their customers’ payment information such as their credit card details separately from the rest of their information, Zappos included as is indicated by their email.
Likewise, it seems that Zappos has adhered to the standard practice of encrypting all of their users’ passwords. However, as unlikely as it may seem, even encrypted passwords are considered to be valuable booty to thieves. “Hashes,” as encrypted passwords are referred to in security speak, are theoretically very difficult to crack but seasoned criminals often times process them using computer programs that enable them to identify and pick out weaker passwords. With enough computer power at their disposal, a hacker has the potential to figure out even passwords that are moderate or strong.
Research on the subject has indicated that most consumers are very likely to use the same password and same email account to set up profiles for multiple online shopping accounts. Therefore, once they have cracked one password, criminals are able to use it along with the corresponding email to siphon money methodically from the individual’s other accounts online.
Additionally, many consumers also provide information that is relatively easy to obtain in response to security questions, such as mother’s maiden name or their own date of birth, and all sophisticated hackers need to do is implement data mining techniques to gather all such information along with other information available in the Internet in order to have enough with which to steal an identity.
There is already a class-action lawsuit pending against Zappos, filed January 16 in federal court by Theresa Stevens, a resident of Beaumont, Texas. She is making the claim that due to the security breach at Zappos she and other users “are more likely to receive e-mails from spoof websites and unknowingly give away personal information to hackers,” according to online news source pcmag.com.