You've probably read by now that online retailer Zappos suffered a security breach affecting over 24 million customers. As a Zappos customer, I received the email last night alerting me about the breach. I got a nearly identical email from their sister company,, as well. This is a clear sign that I buy too many shoes.

What's interesting to me about this breach is that Zappos is renowned for their customer service, so watching how they communicate in the coming days and weeks should be an interesting case study. A few notable points so far:

  • Tony Hsieh, the CEO, posted a copy of the internal email that they had sent to all their employees. And tweeted about it. The only difference from the customer-facing email was that it stated the number of records affected. But it's unusual for a company to share internal communication like this.
  • Zappos expired everybody's password, forcing customers to follow the password reset workflow before regaining access to their account. Usually a company will urge you to change your password but won't force you to do so. This was a good move on their part. The servers seemed very overloaded though; around 9pm last night it took me a few minutes (and a couple of server timeouts) to successfully reset my password.
  • Around the same time, Zappos disabled international access to their website, meaning that anybody outside the US couldn't reset their password as instructed in the email. This seemed a bit odd. As I am writing this post, the site is still unavailable to international customers. This has understandably frustrated some customers.
  • In the customer-facing email, Zappos notes that credit card numbers were not affected, but "cryptographically scrambled" passwords were. This is where I believe they ought to be more forthcoming. What does "cryptographically scrambled" entail? An unsalted MD5 hash, Stratfor style? Salted hashes? Symmetric encryption? A homegrown algorithm? Something stronger like bcrypt or scrypt? This detail is critical, because it indicates how easy it will be for attackers to recover the original passwords from the affected customers and try to use them on other sites like Gmail, Facebook, Twitter, and others. Customers might be more likely to change their password on other websites if they understood the relative risk.
  • The email does not disclose how long customer data was exposed prior to the breach notification. This is an important detail that was omitted.
  • Zappos has been actively engaging with customers on their @Zappos_Service Twitter account. In fact, last night when I posed a question to the CEO's Twitter alias, @Zappos_Service responded 4 minutes later. They didn't have an answer, but they responded.
  • They turned off their phone system because they felt responding via email would be more efficient (and their phone system couldn't handle the volume anyway). Still, can you imagine a "typical" company doing this? It seems simultaneously crazy and brilliant.
  • It takes a long time to send 24+ million emails. I received mine last night at 8:34pm and 9:03pm, but a colleague here at Veracode mentioned he didn't get his until this morning. So assuming they're going out alphabetically by e-mail address, that's how long it took to get from "c" to "r".
  • Since both and were affected, it's possible that they shared a single database. There are a bunch of scenarios though. It could be a vulnerability in application code shared by both sites. It could have also been an insider attack, but the fact that credit card numbers were not compromised suggests to me that the attack was external.

For me, the two things to watch for now are how quickly they restore international access and whether or not they disclose how passwords were stored and what "cryptographically scrambled" means in that context. Security breaches happen to the best of companies and these days what differentiates you is how you respond. So far I believe Zappos is on the right track.

(Incidentally, Tony Hsieh's book, Delivering Happiness, is a fantastic read. I have a lot of respect for how this company operates, and not just because my shoes arrive overnight.)


Veracode Security Guides
Data Security Resources

About Chris Eng

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Comments (5)

James Dorrian | January 16, 2012 4:43 pm

Perhaps a premature assessment on my part, but it seems their action is bold and decisive, which is exactly what is necessary in the event of a breach.

Dan | January 16, 2012 7:17 pm

"This detail is critical, because it indicates how easy it will be for attackers to recover the original passwords"

This detail is critical because it gives us a gauge into how much Zappos really cared - pre-loss.

But to paraphrase Ranum... (

If a company tells you that they've been hacked and that you should change your password, you should change your password.

Any amateur risk assessment at this point is foolhardy.

CEng | January 16, 2012 8:34 pm

@Dan: Valid point regarding "how much they really cared" pre-loss. But still, people should know how urgent the situation is. Call it amateur risk assessment if you want, but to me it's making informed decisions. Do people need to change their passwords immediately on every site where they've used that email/password pair? Probably not. How long do they have? Depends on the answer to my question.

Dan | January 16, 2012 10:43 pm

You're not really informed, even if they said salted hashes, you should still take their advice and change your passwords, immediately, everywhere (that you care about).

It was urgent enough to the people on the inside of Zappos for them to make the business call to inconvenience all of their customers. I imagine that, as a matter of good corporate governance, they didn't take this step lightly.

Would you do the same actions that they are doing if you knew that the passwords were managed properly? Maybe it's just me, but I would totally minimize my press releases if I knew I had nice secure bcrypted passwords. i.e., "You might want to change your passwords sometime in the next year or so if you think a major government might want access to your accounts... Otherwise, check out these cool new shoes..." ;)

My guess is either crypt or md5/no salt.

CEng | January 17, 2012 10:35 am

@Dan: For the record, my guess is unsalted hash too. :)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.