Comments on: Zappos.com breach – lessons learned http://www.welivesecurity.com/2012/01/17/zappos-com-breach-lessons-learned/ News, Views, and Insight from the ESET Security Community Mon, 03 Feb 2014 08:49:00 +0000 hourly 1 http://wordpress.org/?v=3.7 By: Cameron Camp http://www.welivesecurity.com/2012/01/17/zappos-com-breach-lessons-learned/#comment-626 Tue, 24 Jan 2012 00:35:07 +0000 http://blog.eset.com/?p=11310#comment-626 @Jim: Thanks for the feedback. It's good to hear how their plans played out. Sorry to hear about your experiences. It's interesting to watch how companies respond during and after the initial flood of customer communication. It's encouraging to hear they had solid plans, it might also be good to hear from them about the rest of their experience and what they feel they could improve upon. Following their internal investigations it would seem they might send more follow-up information along, we'll wait and see.

]]>
By: Jim Coker http://www.welivesecurity.com/2012/01/17/zappos-com-breach-lessons-learned/#comment-625 Sat, 21 Jan 2012 15:45:41 +0000 http://blog.eset.com/?p=11310#comment-625 While you raise a couple of good points, I would like to disagree that Zappos did a good job in responding. As a recipient of their communication, I found no explanation that Zappos knew how the breach occurred nor assurances that they had sufficiently eliminated the possibility of it happening again. I see a reference in your article about a special web site being set up yet there was no mention made in the Zappos email I received.  And when I tried to contact their 24/7 customer support line, I learned they had shut it off, making it impossible to even leave a message requesting a call back. I emailed my questions to Zappos and received no response, even an auto-response that it was received and would be handled later. So, no, I think Zappos has turned its back on the affected customers and should NOT be looked upon as a high-quality response to this unfortunate incident.

]]>
By: Cameron Camp http://www.welivesecurity.com/2012/01/17/zappos-com-breach-lessons-learned/#comment-624 Thu, 19 Jan 2012 23:25:12 +0000 http://blog.eset.com/?p=11310#comment-624 @data_breach: It's difficult to determine their internal storage mechanisms for their full card data. They say they are stored separately from the customer records which are in question, hard to say exactly without knowing how their data is set up. I have seen networks where a dedicated database server is used for payment card storage, due to PCI compliance issues, and more generic customer contact info stored elsewhere. One way or another it's not very good news for customers, but let's hope the full cc data isn't part of the bounty for the scammers. 

]]>
By: data breach http://www.welivesecurity.com/2012/01/17/zappos-com-breach-lessons-learned/#comment-623 Thu, 19 Jan 2012 22:32:23 +0000 http://blog.eset.com/?p=11310#comment-623 Is it just me or are they making conflicting statements? I mean searioulsy, 

“…names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers and cryptographically scrambled passwords had been hacked.”

and then they just throw this garbage

"…THE DATABASE THAT STORES OUR CUSTOMERS' CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED."

Even if we assume that cyber criminals don't have credit card numbers, the said information is a candy for carders anyway.

]]>
By: Vicki T http://www.welivesecurity.com/2012/01/17/zappos-com-breach-lessons-learned/#comment-622 Thu, 19 Jan 2012 17:03:58 +0000 http://blog.eset.com/?p=11310#comment-622 Whew!  Thank you so much for this article.  I am a Zappos customer and, thankfully, the credit card I had on file was no longer valid, but what you have made me realize is that I need to get busy and start spiffing up my passwords on many sites.  I have known all along that this needs to be done, but I'm sure I am not alone when I say that I loathe changing passwords because I fear I will not remember them when I need them.  Great article, Cameron!

]]>