
Zappos.com customer database compromised - clamstar
http://www.zappos.com/passwordchange
======
IgorPartola
LastPass FTW! The attacker will reverse my password just to find a bunch of
unusable bits :). What would be even cooler is an API on top of LastPass that
sites like Zappos could hook into to force a behind-the-scenes change of
passwords, similar to revoking a compromised certificate. Essentially, since
there is some lead time after the breach is discovered and before the attacker
manages to crack the long, random passwords, their efforts would be futile by
the time they are done since all LastPass passwords would have already been
changed.

Or we could just stop using passwords everywhere and not have this problem
again. Anybody? Anybody?

Disclosure: I have no affiliation with LastPass beyond being a satisfied user.

~~~
martingordon
I used to have three different passwords of varying complexity that I shared
across sites.

When Gizmodo's database was compromised and I didn't know which password I
used there, I decided to stop using the same set of passwords everyone and
started generating and storing my passwords using 1Password. It's a little
annoying to use on my iPhone (particularly having to type my long master
password on the soft keyboard), but it's dead simple to use on the desktop and
I recommend it to everyone. I still have some sites that use my old passwords,
but 1Password's Smart Folders let me search my passwords for those and I plan
on changing those today.

(I haven't used LastPass so I can't comment on how it compares to 1Password)

~~~
reidmain
This is exactly what I do and I've switch friends and family over as well.

Whenever they bring up the perceived inconvenience (which goes down on the
desktop with practice) I simply remind them how much time they will waste if
one of their accounts is compromised.

Sure their foursquare (or pick another random service that doesn't hold
EXTREMELY important data) account isn't that important but when it uses their
Gmail address and has the same password they are just begging for trouble.

Also this gets them out of logging on to their Gmail and Facebook accounts
from public computers. They still don't fully understand the possible problems
but at least now it is such an inconvenience they just use their own devices.

------
jjacobson
Zappos developer here. I'll answer any questions that I legally can or help
get customer problems passed onto people that can help.

~~~
bestnameever
The email did not mention order history. Do you know if our personal order
history was among the items compromised?

~~~
jjacobson
There really is no good news in this type of situation, but only the data
items mentioned by Tony in the email above were compromised.

------
skrish
+1 for not storing clear text passwords.

I like the tone of the blog & how forthright they have been with dealing with
the issue.

~~~
conradev
> +1 for not storing clear text passwords.

That shouldn't need a +1.

~~~
dredmorbius
Considering that 90% of success is showing up, and the next 9% is avoiding
obvious failure paths, Zappos is doing pretty well here.

Lots of room for improvement above and beyond these two points, sure, but at
least they're not falling victim to the classic blunders.

Disallowing international sales means they'll probably also avoid getting
involved in a land war in Asia.

Now if I can just find my iocane powder...

------
Wilya
Page gives me : "We are so sorry – we are currently not accepting
international traffic. If you have any questions please email us at
help@zappos.com"

Anyone could paste/screenshot/... what there is to see ?

~~~
kalyanganjam
You can check the URL
[http://viewtext.org/article?url=http://www.zappos.com/passwo...](http://viewtext.org/article?url=http://www.zappos.com/passwordchange)
in case content changes/updates in that page.

~~~
Loic
Adding the one really interesting, that, the way they communicate in house:
[http://viewtext.org/article?url=http://blogs.zappos.com/secu...](http://viewtext.org/article?url=http://blogs.zappos.com/securityemail)

------
davepeck
So: "cryptographically scrambled" -- do we believe they use a good hash, and
salt? Or... not?

------
aforty
I didn't get this notice so that means my information wasn't compromised?
Wouldn't bet on it.

~~~
jesseendahl
I didn't receive the email yet either. Hmm... just changed my password just in
case.

~~~
dylanbathurst
Yeah, I think they're sending the email out in separate blasts. This is one
email they don't want ISPs blocking IPs on because it looks like spam.

------
imjoel
Zappos sister site 6pm.com was compromised, too.

~~~
syneater
Correction, it was not a separate compromise, they share the same database
(since they share the same stock, etc.)

------
vnchr
My thanks to Zappos for that email. It was enough for me to give my wife
necessary suggestions to secure her associated accounts without alarming her.

It is probably worthwhile in these situations to provide basic implication
info for laymen, i.e. implications of "your cryptographically scrambled
password."

------
leak
I've been having issues with Zappos for a couple days. I called up support
yesterday and they said they were "upgrading the website and had bugs they
were trying to get fixed." Not sure if this is related or just a coincidence.

~~~
pkteison
Probably coincidence. Companies that expect a lot of Christmas traffic
minimize changes from Thanksgiving to Christmas, and web retail gets more
traffic during business hours in America, so I expect that this weekend and
last weekend saw a lot of code deployments, and so things are more likely to
be broken specifically right now than pretty much any other time of the year.

------
hummer
Good thing they didn't store passwords in clear-text!

~~~
getsat
That doesn't mean they're not using a bad (i.e., fast) hashing algorithm.

~~~
wahnfrieden
Or that they're not using reversible encryption.

------
alexlitov
I didn't get an email, but upon logging in - my password was reset and an
email sent with further instructions.

------
desigooner
FWIW, I just got a similar email from 6pm.com (It's a Zappos Affiliate) ..

