Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Zappos Hacked: Internal Systems Breached

samzenpus posted more than 2 years ago | from the under-the-wire dept.

Security 122

wiredmikey writes "Zappos appears to be the latest victim of a cyber attack resulting in a data breach. In an email to Zappos employees on Sunday, CEO Tony Hsieh asked employees to set aside 20 minutes of their time to read about the breach and what communications would be sent to its over 24 million customers. While Hsieh said that credit card data was not compromised, he did say that 'one or more' of the following pieces of personal information has been accessed by the attacker(s): customer names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers. User passwords were 'cryptographically scrambled,' he said."

Sorry! There are no comments related to the filter you selected.

doh (-1)

Anonymous Coward | more than 2 years ago | (#38711110)

I bought a pair of La Sportiva Gandalf shoes from there. Now the hackers know where I live.

Re:doh (0, Offtopic)

Anonymous Coward | more than 2 years ago | (#38711126)

SOME... SHALL... PASS!

breach database? (5, Insightful)

GuldKalle (1065310) | more than 2 years ago | (#38711122)

Is there a site covering breaches like these? It would be nice to have an easily searched database with number of users, the kind of info that was accessed, the attack vector etc.

Re:breach database? (4, Informative)

Securityemo (1407943) | more than 2 years ago | (#38711160)

http://datalossdb.org/ [datalossdb.org]

Re:breach database? (1, Insightful)

WrongSizeGlass (838941) | more than 2 years ago | (#38712502)

How is this post informative? That site doesn't have anything about the Zappos breach ... or anything that's happened in the last six months. It hasn't posted an update since June, 2011 - and that includes their monthly reports.

I applaud datalossdb.org efforts to trying to make this data available in one place, but it needs new 'volunteers' (and probably some more donations).

Re:breach database? (4, Informative)

bondsbw (888959) | more than 2 years ago | (#38713076)

I'm not sure what you're looking at. Its latest report is January 13, 2012.

http://datalossdb.org/index/latest [datalossdb.org]

True, it doesn't mention Zappos yet.

Re:breach database? (1)

WrongSizeGlass (838941) | more than 2 years ago | (#38717928)

I'm not sure what you're looking at. Its latest report is January 13, 2012.

I was looking the June 2011 thru Jan 2012 reports on this page [datalossdb.org] and the date of the latest post on the front page.

breach database? (-1, Offtopic)

Anonymous Coward | more than 2 years ago | (#38711166)

This is what happens when you dont use AIX.

Re:breach database? (2)

Rubinstien (6077) | more than 2 years ago | (#38711472)

I hope you are trying to be humorous. AIX is one of the buggiest UNIX implementations I know of, and that includes security bugs. A really simple example -- one that was fixed years ago in other OS's (like Solaris) -- using the Berkley variant of 'ps', you can easily access the environment of any process on the system. On AIX you access the Berkley version by leaving off the hyphens in front of command-line options (nice feature that, I like it better than Sun's completely separate binary). Try 'ps geww'. Not too dangerous if everyone keeps sensitive things out of their environment, but I can guarantee that is not always the case. CGI scripts tend to put interesting things there as a matter of course.

Re:breach database? (-1)

Anonymous Coward | more than 2 years ago | (#38711594)

I AM 100% BOOTYASSCHEEK JOHNSON ULTIMATUM SUPREMACY NAKED! You interested?
I AM 100% BOOTYASSCHEEK JOHNSON ULTIMATUM SUPREMACY NAKED! You interested?
I AM 100% BOOTYASSCHEEK JOHNSON ULTIMATUM SUPREMACY NAKED! You interested?
I AM 100% BOOTYASSCHEEK JOHNSON ULTIMATUM SUPREMACY NAKED! You interested?
I AM 100% BOOTYASSCHEEK JOHNSON ULTIMATUM SUPREMACY NAKED! You interested?
I AM 100% BOOTYASSCHEEK JOHNSON ULTIMATUM SUPREMACY NAKED! You interested?
I AM 100% BOOTYASSCHEEK JOHNSON ULTIMATUM SUPREMACY NAKED! You interested?

"I hope you are trying to be humorous. AIX is one of the buggiest UNIX implementations I know of, and that includes security bugs. A really simple example -- one that was fixed years ago in other OS's (like Solaris) -- using the Berkley variant of 'ps', you can easily access the environment of any process on the system. On AIX you access the Berkley version by leaving off the hyphens in front of command-line options (nice feature that, I like it better than Sun's completely separate binary). Try 'ps geww'. Not too dangerous if everyone keeps sensitive things out of their environment, but I can guarantee that is not always the case. CGI scripts tend to put interesting things there as a matter of course."

Re:breach database? (0)

f3rret (1776822) | more than 2 years ago | (#38712500)

Seriously...what the hell are these guys spamming for?

I don't get it.

Re:breach database? (1)

Anonymous Coward | more than 2 years ago | (#38711752)

http://dazzlepod.com/disclosure/
Their most recent entry: http://dazzlepod.com/stratfor/
Zappos's not up yet..

Cyber attack? (5, Funny)

Anonymous Coward | more than 2 years ago | (#38711134)

I hope the cyber police do what they can to find the cyber criminals who committed this cyber crime against Cyber Zappos. After all, Cyber CEO Tony Hsie- oh fuck I can't keep this up.

Don't call it a cyber attack. It was an attack. This isn't 1996.

Re:Cyber attack? (1)

johnsnails (1715452) | more than 2 years ago | (#38711156)

hahaha! Now I have to watch Angelina Jolie in Hack3rs

Re:Cyber attack? (1)

lemur3 (997863) | more than 2 years ago | (#38711244)

she has a twenty eight point eight bee pee ess modem!!!

clearly the problem is availability of 3D glasses... cyber criminals will stop at nothing to defeat corporate giants!

Re:Cyber attack? (1)

hedwards (940851) | more than 2 years ago | (#38711732)

I thought the problem was that they realized that hacking the Gibson just required a ping of death.

Re:Cyber attack? (1)

justforgetme (1814588) | more than 2 years ago | (#38711822)

Nah. there were definitely explosions involved. I think they found an LDAP exploid

Re:Cyber attack? (1)

justforgetme (1814588) | more than 2 years ago | (#38711810)

what was that nintendo headpiece, the blonde guy was wearing, called again?

Re:Cyber attack? (3, Funny)

mixmasta (36673) | more than 2 years ago | (#38711886)

Then the hackers drove away on the INFORMATION SUPERHIGHWAY ... in a YUGO, oops... equivalent of a CYBER-CORVETTE.

Re:Cyber attack? (1)

Anonymous Coward | more than 2 years ago | (#38712530)

Fuck off. Cyber is the best prefix ever.

Sincerely,
William Gibson

Re:Cyber attack? (2)

SeaFox (739806) | more than 2 years ago | (#38712568)

I hope the cyber police do what they can to find the cyber criminals who committed this cyber crime against Cyber Zappos.

I'm sure there's a gumshoe on the case already.

Re:Cyber attack? (1)

drinkypoo (153816) | more than 2 years ago | (#38713448)

Don't call it a cyber attack. It was an attack. This isn't 1996.

Just be glad they're not calling it an e-Attack.

How do you suggest the news differentiate the sort of "attack" that results only in a little hard disk thrashing and data transfer from the kind that results in dead bodies, bleeding, running, and screaming?

Re:Cyber attack? (1)

DarkOx (621550) | more than 2 years ago | (#38714672)

Maybe they commited this e-Attack with their iPwn4

Meh,, (2)

arsemonkey (1970712) | more than 2 years ago | (#38711144)

Other than my email, and the last 4 of my nearly maxed out credit card, that's pretty much all public record anyway.

Re:Meh,, (1)

higuita (129722) | more than 2 years ago | (#38712816)

Not everyone is fool enough to use real data or have a facebook account...

First the bad news.. (4, Interesting)

lemur3 (997863) | more than 2 years ago | (#38711152)

from the email going out to customers:
Subject: Information on the Zappos.com site - please create a new password

First, the bad news:

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

THE BETTER NEWS:

The database that stores your critical credit card and other payment data was NOT affected or accessed. ...translation:

The Bad News is that things are shitty.

The Good News is that people are learning to love the smell of shit.

Re:First the bad news.. (1)

justforgetme (1814588) | more than 2 years ago | (#38711836)

does cryptographically scrambled mean what I think it does or does he just use the wrong description?

Re:First the bad news.. (1)

RKThoadan (89437) | more than 2 years ago | (#38713278)

Can you think of a better way to communicate this to John Q. Public?

Re:First the bad news.. (1)

justforgetme (1814588) | more than 2 years ago | (#38714722)

Not really but if they were storing salted password hashes with a sufficient algo he should be able get away with "No actual passwords were revealed"

Re:First the bad news.. (0)

Anonymous Coward | more than 2 years ago | (#38714986)

Cryptographically scrambled means MD5 hashed without a salt. Rainbow tables ahoy!

Re:First the bad news.. (0)

Anonymous Coward | more than 2 years ago | (#38717092)

"Rainbow tables ahoy!"

Wow, when you take that out of context, it takes on completly different meaning.

That's right : (1)

unity100 (970058) | more than 2 years ago | (#38713560)

The Good News is that people are learning to love the smell of shit.

indeed. as one joke in a japanese anime so aptly put it :

"Even an old man's armpits grow on you with prolonged exposure ...."

im telling you.... the people making those animes. crazy ....

Re:First the bad news.. (1)

Provocateur (133110) | more than 2 years ago | (#38715892)

The best news:

All user IDs are safe unless their passwords are "123456", "ABCDEF", or "password". We *did* ask you to change them from these defaults. If you did not, we suggest you meet with your new 0wners.

Well... (1)

Anonymous Coward | more than 2 years ago | (#38711178)

To suss it all out, they'll need to hire a gumshoe...

Re:Well... (2)

skegg (666571) | more than 2 years ago | (#38711536)

Yeah, and we know who's ultimately going to foot that bill.

Re:Well... (1)

mattack2 (1165421) | more than 2 years ago | (#38718110)

I know where they could buy some shoes, and return them easily, no questions asked.

Storing passwords (not as easy as you think) (5, Informative)

seifried (12921) | more than 2 years ago | (#38711182)

Sadly password storage is actually tricky and most places do it wrong (using MD5/SHA1 for example). Covered in Nov 2011 article Storing your passwords properly [linux-magazine.com] (disclaimer: I wrote it, and it's a PDF file). One problem is that even if zappos enforces strong passwords users have a tendency to reuse their strong passwords between sites (you can only memorize so much gibberish or passphrases). Hopefully Zappos learns from this and builds a more resilient system.

Re:Storing passwords (not as easy as you think) (0)

Anonymous Coward | more than 2 years ago | (#38711198)

People really need to learn to use scrypt.

Re:Storing passwords (not as easy as you think) (3, Interesting)

seifried (12921) | more than 2 years ago | (#38711218)

I assume you mean http://www.tarsnap.com/scrypt.html [tarsnap.com] and https://github.com/pbhogan/scrypt [github.com] ? Looks interesting, I'll have to check them out.

Secure Remote Password protocol (0)

Anonymous Coward | more than 2 years ago | (#38713420)

I assume you mean http://www.tarsnap.com/scrypt.html [tarsnap.com] and https://github.com/pbhogan/scrypt [github.com] ? Looks interesting, I'll have to check them out.

A better idea would be to switch to storing the SRP verifier:

x = H(s,p) ; s = salt, p = password, H() is SHA-1
v = g^x

Store v, s, and u (the username).

http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol

Anyone who can get the password (or even the hash) from the above deserves to get them. :)

Re:Secure Remote Password protocol (1)

tqk (413719) | more than 2 years ago | (#38715344)

http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol

Interesting read, thanks, but I wish a few wikipedians would go over that article and flesh it out. I'm pretty geeky, but I can't see offhand how claims like "... the SRP protocol is more secure than the alternative SSH protocol ..." are provable. Then again, I'm no cryptographer.

Of course, the devil's in the details. SRP on top of a Win* box infested with keylogger trojans will be a waste of effort (false sense of security), so it'd be better to expend effort on that front (trash Win* :-) before implementing SRP.

'Sounds like something every geek needing to secure remote accounts should know about these days. Why don't we? I'm not getting my memos! :-P

Re:Storing passwords (not as easy as you think) (4, Interesting)

dgatwood (11270) | more than 2 years ago | (#38711212)

Like storing authentication information on a separate server from user information. This tends to make the info a lot less useful.

Ooh. User ID #67215298's password is "correct horse battery staple". Who is user ID #67215298? Uh... we haven't cracked that server yet.

Re:Storing passwords (not as easy as you think) (1)

grantek (979387) | more than 2 years ago | (#38711582)

Ooh. User ID #67215298's password is "correct horse battery staple". Who is user ID #67215298? Uh... we haven't cracked that server yet.

Yes you have.

Re:Storing passwords (not as easy as you think) (2)

Threni (635302) | more than 2 years ago | (#38711704)

No you haven't. User ID #67215298's username is Boris1322 but how would the attacker know this?

Re:Storing passwords (not as easy as you think) (0)

Anonymous Coward | more than 2 years ago | (#38711646)

Parent is obviously referring to xkcd: http://xkcd.com/936/

Re:Storing passwords (not as easy as you think) (1)

fliptout (9217) | more than 2 years ago | (#38711232)

Thanks for this.. I've been looking for advice on storing passwords.

Re:Storing passwords (not as easy as you think) (4, Interesting)

Cato (8296) | more than 2 years ago | (#38711330)

Mod parent up, the article is quite good.

A more general and simpler answer though is to *always use a standard library* - see http://stackoverflow.com/questions/1581610/how-can-i-store-my-users-passwords-safely/1581919#1581919 [stackoverflow.com] for a good answer.

Also ensure that your password storage is one-way hashed, and *salted* with a random salt (different per user) and uses *password stretching* (i.e. iterates the hashing function thousands of time to make brute forcing much more expensive). See http://slashdot.org/comments.pl?sid=1987632&cid=35150388 [slashdot.org] for more on password stretching including phpass, the gold-standard library for PHP used by WordPress, Drupal, etc.

Most importantly, never write your own password storage - you are virtually guaranteed to get it wrong. Apart from the above issues, what about timing attacks (Zend has an article about this from PHP perspective.)

Re:Storing passwords (not as easy as you think) (1)

LordLucless (582312) | more than 2 years ago | (#38717660)

Did you actually read his article?

A more general and simpler answer though is to *always use a standard library*

Except PHP 5.3.7, like he mentions in the article. You can't always trust your libraries

and uses *password stretching* (i.e. iterates the hashing function thousands of time to make brute forcing much more expensive).

And where he says in the article how bad of an idea this is, compared to using a work-factor algorithm like bcrypt

Re:Storing passwords (not as easy as you think) (3, Insightful)

Anonymous Coward | more than 2 years ago | (#38711342)

I'm going to have to disagree with this statement from your article: "Because hash functions like AES-256 only provide 2^256 possible unique outputs, collisions are obviously possible".

Re:Storing passwords (not as easy as you think) (0)

fliptout (9217) | more than 2 years ago | (#38711346)

Python wrapper for bcrypt. Looks like what I need for my project:

http://code.google.com/p/py-bcrypt/ [google.com]

Re:Storing passwords (not as easy as you think) (5, Informative)

Anonymous Coward | more than 2 years ago | (#38711478)

You know, I almost posted something when this article was first published but I decided it wasn't worth it. But now that it's come up again in the context of helping people I must say something.

This article is absolutely full of errors.

The end recommendation of using bcrypt is fine, but beyond the basic concepts the rest has major problems. A few examples:

1. AES is not a hash function. It can be used in some constructions to emulate a hash, but you wouldn't just call that AES-256 as you do, nor is it commonly used this way.
2. "Because hash functions like AES256 only provide 2^256 possible unique outputs..." Only? This would put you at ~2^128 outputs before you could really hope to get a collision (and not a collision with a specific output, just any two outputs colliding). This is WAAAY beyond the resources of all of humanity.
3. "Brute-forcing older algorithms is definitely possible now (DES and 3DES already fell to brute-force attacks several years ago)." Since when was 3DES brute-forced? I see no evidence that even 2TDEA has been brute-forced, let alone 3TDEA which is what people actually use. Citation greatly needed.

There are other problems a well, but these are enough to give a taste of the issues.

Re:Storing passwords (not as easy as you think) (1)

seifried (12921) | more than 2 years ago | (#38713174)

Sadly I wish it were so

1. AES is not a hash function. It can be used in some constructions to emulate a hash, but you wouldn't just call that AES-256 as you do, nor is it commonly used this way.

No but sadly it is used as one. Google results for SHA password storage: 143,000 results, results for AES password storage: 490,000 results. It is commonly used that way.

2. "Because hash functions like AES256 only provide 2^256 possible unique outputs..." Only? This would put you at ~2^128 outputs before you could really hope to get a collision (and not a collision with a specific output, just any two outputs colliding). This is WAAAY beyond the resources of all of humanity.

We said the same things about DES/3DES, Moores law, the groth of bot nets, and all that has some interesting side effects

3. "Brute-forcing older algorithms is definitely possible now (DES and 3DES already fell to brute-force attacks several years ago)." Since when was 3DES brute-forced? I see no evidence that even 2TDEA has been brute-forced, let alone 3TDEA which is what people actually use. Citation greatly needed.

DES was cracked in 1998 on $250,000 or so of custom hardware, using an average of 4.5 days (so half the key space). In the last 13 years hardware has gotten SIGNIFICANTLY faster and cheaper, from a 2006 paper: http://www.ietf.org/rfc/rfc4772.txt [ietf.org] , and those 10 gig/sec chips are CHEAP now. Putting a few tens of thousands onto custom boards wouldn't be that expensive (same price range as deep crack).

Re:Storing passwords (not as easy as you think) (1)

Just Some Guy (3352) | more than 2 years ago | (#38715744)

We said the same things about DES/3DES, Moores law, the groth of bot nets, and all that has some interesting side effects

A common misunderstanding of Moore's Law is that computers double in speed every 18 months. Were that true and it held true forever, then a 256-bit hash would fall about 100 years after it's 128-bit counterpart. (To those double-checking the math at home: the birthday paradox implies that you only effectively get the strength of half those bits.)

Horizontally scaling has a much, much worse payoff. Suppose you make a billion (2^30) node botnet running 24/7/365 dedicated to cracking hashes. That would make the project finish "just" 55 years after the 128-bit hash fell.

And if your target bumps that to 512-bit hash - SHA512 is in a lot of standard libraries today - then the Moore's law payoff comes after about 300 years and the billion-node payoff is still two and a half centuries out.

It's like the difference in upgrading from 8-bit to 16-bit CPUs, and then to 32-bit CPUs. Those went relatively quickly. It'll take a while for Mr. Moore to chew through the extra 32-bits we've given him in the last few years, though.

DES was cracked in 1998 on $250,000 or so of custom hardware, using an average of 4.5 days (so half the key space).

He was asking about 3DES, not DES. It's a whole world of pain harder to attack. According to the wiki [wikipedia.org] , "NIST considers keying option 1 to be appropriate through 2030."

Re:Storing passwords (not as easy as you think) (0)

Anonymous Coward | more than 2 years ago | (#38716162)

Were that true and it held true forever, then a 256-bit hash would fall about 100 years after it's 128-bit counterpart.

Generally true but incorrect specifically when it comes to AES. AES256 is known to be weaker than AES128.

https://cryptolux.org/FAQ_on_the_attacks

Re:Storing passwords (not as easy as you think) (1)

Just Some Guy (3352) | more than 2 years ago | (#38716500)

I'd handwave that away by saying I'm not sure why poor AES got dragged into this mess in the first place. Despite what the OP claims, I've not heard of many people using ciphers as hash algorithms.

Re:Storing passwords (not as easy as you think) (1)

93 Escort Wagon (326346) | more than 2 years ago | (#38711568)

One problem is that even if zappos enforces strong passwords users have a tendency to reuse their strong passwords between sites (you can only memorize so much gibberish or passphrases).

User education is the key here. There's no good reason for re-using passwords, at least for most people. For many years, OS X has included a keychain manager you can use to store passwords and other sensitive information. Gnome offers a similar tool for Linux users, and I know there are third-party Windows programs that do pretty much the same thing. These utilities make it almost trivial to use different strong passwords for all your online accounts - yet relatively few people know they even exist!

I'm sure it will be pointed out that if someone gets your keychain password they'll then have access to all your accounts, and that's true; but you're still significantly reducing the ways an attacker can successfully get at your data. You > can/b take steps to protect your personal computer - you can't really force all the people you do business with to do the same with their servers, unfortunately.

Re:Storing passwords (not as easy as you think) (1)

93 Escort Wagon (326346) | more than 2 years ago | (#38711572)

Crap, sorry about screwing up closing that bold tag somehow.

Re:Storing passwords (not as easy as you think) (1)

CastrTroy (595695) | more than 2 years ago | (#38716454)

I've been using this method for years. I recommend this to everyone I know. But for most people, it is a bit of a hassle. The biggest problem is that you have to keep the file backed up, and you have to ensure that your backup is current. If you lose the file, you have now lost access to all your online accounts. Some people say they keep their file in a DropBox account, but personally, I wouldn't trust my data there. They had a data breach a little while back. Even if I change all my passwords (arduous process), there's still a file out there contain the list of all my user accounts for all the websites I visit. That's pretty personal information.

Re:Storing passwords (not as easy as you think) (4, Informative)

fatphil (181876) | more than 2 years ago | (#38711672)

It's hard to take seriously an article which contains remarks like the dumb:
"26 letters, 10 numbers, 11 other character keys for a total of 94 characters"
to the misleading:
"Because hash functions like AES-256 only provide 2^256 possible unique outputs, collisions are obviously possible".

It also overlooks the fact that you're increasing your workload by a factor of X in order to increase the attacker's workload by a factor of X. Therefore there is precisely no leverage at all, and it's not really much of a win, that's a break even cost-wise.

The paragraph beginning "The advantage of bcrypt..." also seems to show that you don't appreciate the difference between a PRP like AES and a PRF like MD5 when it comes to collisions from iterated images. I'm not 100% sure about the logic you're using to lead to the "1000 possible values" claim either. If fact quite the opposite. Are you claiming that if MD5 were iteratd 2^160 times, there would be 2^160 such possible values? (I.e. every input would match a password stored in the rainbow tables.) Sounds bogus, in fact.

Re:Storing passwords (not as easy as you think) (1)

ProfessorPillage (1964602) | more than 2 years ago | (#38713148)

It's hard to take seriously an article which contains remarks like the dumb:
"26 letters, 10 numbers, 11 other character keys for a total of 94 characters"

This part is right: (26 + 10 + 11) * 2 = 94. But yeah, he forgot space so it should be 95.

Re:Storing passwords (not as easy as you think) (1)

gweihir (88907) | more than 2 years ago | (#38716016)

Nothing wrong with using MD5 or SHA1, as long as you iterate and salt competently. Of course, using, e.g., PBKDF2 is better, as it avoids convergence. Still, if passwords are bad, all this does not help a lot.

6PM.COM (1)

ArhcAngel (247594) | more than 2 years ago | (#38711226)

Is 6PM.COM a part of ZAPPOS? Because they just sent a similar announcement.

They give me the creeps anyway (-1)

Anonymous Coward | more than 2 years ago | (#38711234)

Another cult company. We really don't need any more of those, no matter how good the service is. In fact, if the person serving me is always "on" it gives me the creeps. Even In-n-out is a bit creepy although I've gotten used to it. Occasionally In-n-out employees will go off script so that helps.

what does "cryptographically scrambled" mean ? (1)

zaphod777 (1755922) | more than 2 years ago | (#38711446)

So was it salted or just an hash? Without a salt they have all of the passwords pretty easily. They might as well as store the passwords in plain text at that point.

Re:what does "cryptographically scrambled" mean ? (2)

droidsURlooking4 (1543007) | more than 2 years ago | (#38711690)

It was scrambled with hash. It was just supposed to be salted & peppered but the line cook put salsa on it and that's usually over easy. Crazy world today.

Re:what does "cryptographically scrambled" mean ? (1)

hedwards (940851) | more than 2 years ago | (#38711748)

Personally, I always like my hash peppered, but that's just me. Perhaps with a bit of egg on the side.

Kudos to Zappos for the way they handled this. (5, Insightful)

I'm Not There (1956) (1823304) | more than 2 years ago | (#38711456)

Shit happens, the way handle crisis is what matters. Zappos was very open about this, sent me an email, asked me to change password, set up new email addresses and web pages for this problem and questions that customers may have, and announced the issue quickly.

I wish more companies would act like this.

Re:Kudos to Zappos for the way they handled this. (1)

saccade.com (771661) | more than 2 years ago | (#38711526)

My wife tried to order shoes tonight, and first the site insisted she change her password. Then it took -forever- for the address/payment info to appear before it would let the order go through. Trying to phone them got a "We're sorry - we cannot take your call at this time" recording - *very* unusual for Zappos. Makes me think this has them pretty bent out of shape. Wish I'd seen this before she placed the order. We may be buying some slimeball a lot of shoes...

Re:Kudos to Zappos for the way they handled this. (1)

Sprouticus (1503545) | more than 2 years ago | (#38713998)

They explicitly said they turned off their phone lines because the Cust Service Dept was getting swamped. I can understand that actually.

I would like to agree with the GP. They made a mistake, but unlike Sony they handled it well. If it happens again I will probably take my business elsewhere, but for now Im ok with how they responded.

Re:Kudos to Zappos for the way they handled this. (1)

Anonymous Coward | more than 2 years ago | (#38711540)

I wish more companies would act like this.

No need to wish for this. Words are cheap and security is not, so every day more companies adopt this clever strategy. The genius of this is it not only saves money on useless security but also betters the company's (and its CEO's) image, and if that weren't enough there's also some free publicity.

Password reset may not be a great idea (1)

jaymz666 (34050) | more than 2 years ago | (#38711538)

So, they reset your passwords, if you use a few different passwords across sites and don't remember which is which, you can't try any of these to tell which one you did use at the site.

This seems less secure to me. Resetting the password means you can't tell what password you used there.

Re:Password reset may not be a great idea (1)

SpzToid (869795) | more than 2 years ago | (#38711738)

This is why I try to get my colleagues, many of which are 'normal users' in a volunteer charity website for example, to use Passpack [passpack.com] . I try to teach them to use strong unique passwords for each site they register with; while actually only having to remember about two passwords (and using copy/paste). But also a feature of Passpack (like other similar services, I imagine) is being able to share passwords among a workgroup, in case the server admin gets hit by a bus for example. This solution is the best I've found so far for this common problem.

Re:Password reset may not be a great idea (1)

webheaded (997188) | more than 2 years ago | (#38712736)

Kind of dumb but helpful...I had my password saved in my browser and looked it up there. I'm sure that is insecure as hell though and now that I realize that my browser just throws it out there without encrypting it at all...I'm a bit nervous. As much as I love computers and shit...sometimes I hate them.

Re:Password reset may not be a great idea (1)

higuita (129722) | more than 2 years ago | (#38712912)

In firefox you can set a master password to secure your saved passwords

Re:Password reset may not be a great idea (1)

webheaded (997188) | more than 2 years ago | (#38712974)

I'm more worried about nefarious programs or whatever rummaging through there...not my wife finding the passwords. :p

Setting a password up for Firefox doesn't do jack shit, as far as I'm aware. That's all stored in an sql-lite db anyway.

Re:Password reset may not be a great idea (2)

blueg3 (192743) | more than 2 years ago | (#38713178)

The passwords aren't stored cleartext in the database, they're encrypted with your master password.

Re:Password reset may not be a great idea (1)

DarkOx (621550) | more than 2 years ago | (#38714768)

If you are doing that you have larger issues. So when a site rejects your password and you, try some others, you are potentially submitting credential pairs which may be valid elsewhere to a compromised host. BAD

If you don't know what password Zappos had for your account, then you should set new passwords on ALL your accounts.

Legendary (0)

Anonymous Coward | more than 2 years ago | (#38711940)

Zappos hacked. Mollres and Atticuno come next.

Re:Legendary (1)

GameboyRMH (1153867) | more than 2 years ago | (#38712314)

LOL beaten XD

Re:Legendary (1)

tehlinux (896034) | more than 2 years ago | (#38712660)

Arduino, I choose you!

Thanks (0)

tehlinux (896034) | more than 2 years ago | (#38712626)

but I got that email yesterday. My shoes were to die for though!

Yah... (1)

beadfulthings (975812) | more than 2 years ago | (#38712774)

Such a cheerful thing to find waiting for you in your inbox. My email was waiting for me this morning.

I suppose it is a small price to pay for my semi-orthopedic, little old lady Crocs, the ugliest and most comfortable shoes on the planet.

Passwords are becoming a bummer.

D'IC)K (-1)

Anonymous Coward | more than 2 years ago | (#38712822)

result of a quaarel

Slow staff??? (0)

Anonymous Coward | more than 2 years ago | (#38712924)

The CEO thinks it takes 20 mins for his employees to read the email. Does this say anything about the quality of their staff?

How many comments to go through to find out... (1)

fotoguzzi (230256) | more than 2 years ago | (#38713224)

...what Zappos is. I mean, why not just call it $companyfunction $company. Would it be so much to say what this company with millions of users does/sells?

Re:How many comments to go through to find out... (0)

Anonymous Coward | more than 2 years ago | (#38713844)

Fair enough, but I'd venture a guess that they're as well known by the general public as a site like NewEgg is to us geeks. I'd be surprised if the percentage of people on Slashdot unfamiliar with Zappos were over 10%.

Re:How many comments to go through to find out... (0)

Anonymous Coward | more than 2 years ago | (#38714132)

You apparently don't have a wife/girlfriend. Or any female friends, for that matter.

Re:How many comments to go through to find out... (0)

Anonymous Coward | more than 2 years ago | (#38717382)

You apparently don't have a wife/girlfriend. Or any female friends, for that matter.

I don't either, and I *still* know what Zappos is!

Re:How many comments to go through to find out... (1)

tqk (413719) | more than 2 years ago | (#38717616)

Would it be so much to say what this company with millions of users does/sells?

You apparently don't have a wife/girlfriend. Or any female friends, for that matter.

Yeah, I really look forward to getting together with female friends to discuss their shoes. :-P

The correct answer is, "If you can post a dumb comment on /., you can look it up in a search engine, idiot!"

Re:How many comments to go through to find out... (0)

Anonymous Coward | more than 2 years ago | (#38714650)

It's fucking Zappos. If you don't know what they do by now, you probably just got on the internet and it would be a good time for you to learn to use Google. At some point we can stop saying things like "Ford, a vehicle manufacturer" or "Dell, a computer maker" and simply assume a baseline level of knowledge to participate in society. You, sir, have failed to meet that baseline. Congratulations.

Re:How many comments to go through to find out... (0)

Anonymous Coward | more than 2 years ago | (#38715932)

Douchebag.

It's an online shoe retailer.

How difficult was that?

Re:How many comments to go through to find out... (1)

theswade (2020510) | more than 2 years ago | (#38715902)

Have you considered clicking on the link in the article? The first sentence answers your question.

Re:How many comments to go through to find out... (1)

blop (71154) | more than 2 years ago | (#38717250)

I was wondering exactly the same thing... Slashdot forgets that a lot of readers aren't from the US and don't know anything about US-centric brand names...

Re:How many comments to go through to find out... (1)

Jeng (926980) | more than 2 years ago | (#38718332)

In this day and age it makes little sense to ask another person what something is if you have access to a computer.

If someone had mentioned this to me in meatspace and I wasn't near the internet I would ask what Zappos is, but you are on the net, it is easier to Google than it is to ask.

Now if it was something that didn't pull up within the first few links then you would have something to stand on, but Google gets it right with the first link.

Who cares, this won't... (0)

Anonymous Coward | more than 2 years ago | (#38713590)

...stop my wife from spending all my money there anyway.

Zappos Is Hiring... (1)

Kevin Raffay (2554198) | more than 2 years ago | (#38715084)

...an "Applications Security Engineer" (http://about.zappos.com/jobs) Duties include: "Develop security improvements for the company’s websites and backend applications." Evidently, this position is still unfilled.

Payback for Awful Marathon? (1)

theswade (2020510) | more than 2 years ago | (#38715876)

Back in December there was a Zappo's Rock n' Roll marathon in Las Vegas that drew a lot of ire for its many short comings including running out of food and water, replacing said water with non-potable fire hydrant water making many people sick, overcrowding, disorganized medical response teams, etc. It would not surprise me to learn that some one decided to inflict this attack as retribution. However, that's just speculation. There are plenty of other feasible motives.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?