Online shoes and clothing retailer Zappos has warned customers of a security breach that exposed partial credit card details, billing and shipping addresses and other personal information, in a hack effecting 24m users. Detailed in a blog post last night, the Zappos attack was apparently though a Kentucky data center, though the servers responsible for storing full credit card and payment details was not impacted. Zappos is now mandating a change of password for all customers to restore security.
"We are cooperating with law enforcement to undergo an exhaustive investigation. Because of the nature of the investigation, the information in this email is being sent a bit more formally, and unfortunately we are not able to provide any more details about specifics of the attack beyond what is in this email and the link at the end of this email, but we can say that THE DATABASE THAT STORES OUR CUSTOMERS' CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED.
The most important focus for us right now is the safety and security of our customers' information. Within the next hour, we will begin the process of notifying the 24+ million customer accounts in our database about the incident and help step them through the process of choosing a new password for their accounts. (We've already reset and expired their existing passwords.)" Tony Hsieh, CEO, Zappos
Zappos has already voided existing passwords, and will direct users to http://www.zappos.com/passwordchange in an email informing them of the security breach. The company is also suggesting that users change their password on other services where they are registered with the same details.
Although a vocal response is expected from shoppers, Zappos has actually decided to shut down its phone support lines and instead rely solely on email to communicate. That's being portrayed as a time-saving measure: the retailer's entire headquarters staff are being drafted in to handle customer services messages, and the predicted surge of concerned users would quickly overwhelm the switchboard.
"In order to service as many customer inquiries as possible, we will be asking all employees at our headquarters, regardless of department, to help with assisting customers. Due to the volume of inquiries we are expecting, we realized that we could serve the most customers by answering their questions by email. We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren't capable of handling so much volume. (If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place.)" Zappos
[Thanks to everyone who sent this in!]