Zappos Breached - What Should You do?
Well, it’s 2012 and the year starts off with yet another breach – 24 million records this time. Fortunately there is positive news to go along with this story. The good news is, according to Tony Hsieh the CEO of Zappos, the database that controls credit cards and other payment data was not affected nor was it accessed. The bad news however is that one or more of the following types of information were taken: customer names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of customer’s credit card numbers, and “cryptographically scrambled” passwords, which most likely means they were hashed. Hashed passwords are a good security practice, but it is a method that an attacker can circumvent, especially if the password is weak. So what do you do?
Change your Passwords (Passwords not Password.)
The number one recommendation we make when a breach like this occurs is to immediately change your password on Zappos’ website and to any other site sharing a similar password. Generally it is never a good idea to share passwords across many websites. One recommendation is using a password management software to store passwords for multiple websites. Fortunately Zappos has expired and reset all customer passwords.
Be aware of Social Engineering Techniques aimed at getting your information for OTHER sites.
Customers should be wary of phishing emails. Attackers will use the personal information gained in attacks like this to “Spear Phish”. Spear Phishing is a targeted email that appears to come from a “trusted source” in order to gain additional information. For example, a spear phishing emails could attempt to coerce the victim into entering personal information on a crafted website. Zappos’ customers should be advised that Zappos will never contact you asking for personal information or account information in an email. Customers should exercise caution if they receive any emails or phone calls that ask for personal information or direct them to a website where you are asked to provide personal information. Also, never follow a link to a site. Always enter the URL manually.Continued on the next page