Zappos hacked, 24 million accounts accessed

@CNNMoneyTech January 16, 2012: 11:33 AM ET
Zappos hack exposes 24 million customer accounts to cyberattackers, but credit cards were not stolen.

Zappos hack exposes 24 million customer accounts to cyberattackers, but credit cards were not stolen.

NEW YORK (CNNMoney) -- Online shoe store Zappos has been hacked, exposing the names, e-mail addresses, addresses, phone numbers and partial credit card numbers of its 24 million customers, the company said late Sunday night.

Citing an "illegal and unauthorized access" to customer account information, the company reset its customers' passwords. Zappos then urged customers to change their login credentials on any other sites, for which they use the same password and username.

Zappos.com put a big green "create a new password" button on its homepage on Monday.

Zappos said customers' passwords were exposed in the hack, but the online retailer insisted that they were encoded and that attackers had no access to customers' actual passwords. Resetting its users' passwords was just an added precaution, since its highly unlikely the hackers will be able -- or would take the time -- to unlock the encryption.

Customers of Zappos' discount shoe store 6pm.com were also affected, and their passwords were reset as well.

That was "the bad news," according to Zappos, which is owned by Amazon (AMZN, Fortune 500).

The "better news" was the cybercriminals that stole the information had no access to full credit card numbers or other payment data, since the database containing that information was not hacked.

All that was revealed were the last four digits of customers' credit card numbers -- just like the information that appears on a printed receipt at a physical store.

The last four digits of a credit card number serve as a way to identify a customer, but they are even more worthless than the last four digits of a Social Security number -- in terms of actually matching a real credit card number to a person.

The cost of cybercrime

The cyberattack occurred on one of Zappos' servers located in Kentucky, through which the hacker was able to gain access to part of the company's internal network and systems. Company CEO Tony Hsieh said in an e-mail to employees that Zappos is working with law enforcement to undergo an "exhaustive investigation."

The Zappos hack, though annoying for customers, is nowhere near as serious as some other recent thefts of consumer account information. Last spring's attack on Sony (SNE) led to stolen credit cards from 77 million customers, and a Citigroup (C, Fortune 500) hacker stole $2.7 million from about 3,400 accounts in May.

These kind of hacks can be immensely damaging to a brand. In fact, companies are generally reluctant to reveal hacking incidents unless they're legally required to, such as when customer information has been exposed.

"We've spent over 12 years building our reputation, brand and trust with our customers," Hsieh wrote in the company memo. "It's painful to see us take so many steps back due to a single incident."

Despite recent ramped-up efforts to protect against unauthorized entry into companies' systems, hacks have only increased in number and in scale.

Globally, data breaches are expected to have accounted for $130.1 billion in corporate losses last year, according to the Ponemon Institute. Historically, about 30% of that total cost has been direct losses attributable to the breaches, which would mean about $39 billion was stolen in 2011. To top of page

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer.

Morningstar: © 2014 Morningstar, Inc. All Rights Reserved.

Factset: FactSet Research Systems Inc. 2014. All rights reserved.

Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved.

Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor’s Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2014 and/or its affiliates.