Online retailer Zappos.com is telling 24 million customers that their personal information has been hacked, and forcing all of them to reset their passwords. Cyber criminals may have accessed customers' names, e-mail addresses, billing and shipping addresses, phone number, and the last four digits of consumers' credit card numbers, the firm said in an announcement that was posted on Zappos' Web site late Sunday night. Full credit card numbers were not stolen, the firm said, because they were stored separately.
The announcement included the text of an e-mail that Zappos customers will soon receive.
"We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with law enforcement to undergo an exhaustive investigation," says the e-mail, which is signed by Tony Hsieh, Zappos CEO. "For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password. We also recommend that you change your password on any other web site where you use the same or a similar password."
While passwords that may have been stolen were cryptographically scrambled, Zappos said, it is still requiring all consumers to change their passwords. Zappos also recommends that consumers who use their Zappos password on other sites — a common, if unsafe, practice — should change those passwords, too.
Zappos has set up a special Web page for customers to visit and change the password: http://www.zappos.com/passwordchange.
Anticipating a flood of customer service calls in response to the notification e-mail, Zappos is taking the unusual step of turning off its customer service telephone lines and forcing consumers with questions to send them in via e-mail.
"Due to the volume of inquiries we are expecting, we realized that we could serve the most customers by answering their questions by email," Hsieh said in a note to employees, also posted on the firm's Web page. "We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren't capable of handling so much volume. (If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place.) "
Hsieh said the firm would have "all hands on deck," to help customers with questions.
Judged by the number of customers impacted, Zappos' data breach is among the biggest thefts of customer information ever, but still considerably smaller than last year's incident involving the Sony Play Station Network, which reportedly impacted 77 million customers.
Hsieh struck an apologetic tone in both the e-mail to consumers and the memo to staff.
"We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident," he said in the memo. "I suppose the one saving grace is that the database that stores our customers' critical credit card and other payment data was not affected or accessed."