Online shoe and apparel retailer Zappos was hacked Sunday and the Amazon-owned company is asking its customers to change their login credentials, as 24 million of its users' data was stolen in the hack.
According to a notice from the company, 24 million customers' names, e-mail and billing addresses, phone numbers and the last four digits of the credit cards were stolen in the hacking incident, which also included Zappos' satellite discount Web site, 6pm.com.
We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky, said CEO Tony Hsieh in an announcement posted on the Web site Sunday night. Hsieh said an investigation is underway.
Hackers did not receive full credit card information or other payment info as that information was stored on another server the hackers could not crack.
We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident, Hesih said. I suppose the one saving grace is that the database that stores our customers' critical credit card and other payment data was not affected or accessed.
According to Hseih, all passwords were reset as a security precaution and customers were given and will receive additional instructions on security measures.
Hsieh said that while all members of the company will help assisting customers affected in the hack, Zappos is temporarily turning off its phones due to increased call volume, instead opting to assist via email or Twitter.
If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place, according to an email written to employees.
The hack, while more than substantial, was not the biggest hack in the past year. In April, Sony's PlayStation Network was the victim of a similar hack, compromising the data of nearly 70 million customers.
In addition to a copy of the email that went out to customers notifying of the hack, Zappos posted password reset instructions and security tips of its Web site to give insight into how customers can protect their accounts.
Please create a new password by visiting Zappos.com and clicking on the 'Create a New Password' link in the upper right corner of the web site and follow the steps from there, the company said.
Zappos advises that customers:
1. Create a new password for their Zappos account (though passwords have already been expired and reset for security purposes) at http://www.zappos.com/passwordchange
2. Also, create new passwords for any other Web site where similar login credentials (user names and/or passwords) are used.
3. Ignore any emails or calls from Zappos.com or other Web sites that ask for personal or account information
4. If any additional questions, customers can email a representative at firstname.lastname@example.org
It is unclear if Zappos will offer affected customers free identity theft protection services at this moment.