Sign in / up

back to article Zappos coughs to HUGE data breach

Online shoe and apparel outlet Zappos.com has apologised over a massive data breach that exposed the personal details of millions. Up to 24 million customers of the Amazon subsidiary may have been affected by the breach, which exposed names, email addresses, addresses, phone numbers, and password hashes. Zappos stressed that …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Seeding?

    Clearly still much work for us to do in securing networks.

    If every such organization seeds their databases with a small percentage of unique fictional but plausible customers, with credit card details also reserved for tracing, then a trail would lead back to those connected with the hacking, and the data would be much less valuable.

    But of course, store the information about which are the seeds in a separate seriously encrypted database.

    2 0
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Seeding

      Prevention is much better than mitigation.

      0 1
      1. Alan Esworthy
        Reply Icon

        not mutually exclusive

        Best is of course both prevention AND mitigation.

        1 0
  2. Phil Endecott

    Why change passwords?

    If it was storing password hashes - as the article says it was - why are users being advised to change those passwords on other systems?

    0 0
    1. A Known Coward
      Reply Icon
      Terminator

      Presumably the hashes were unsalted or the salt was also taken. Either way the attackers can create a rainbow table to determine the clear text password. A few years ago it would have been deemed impractical because of the processing power required, but not these days. You can build such a table in just a few minutes via Amazon's Web Services cluster and it will only cost a few dollars.

      0 0
    2. Jerren
      Reply Icon
      FAIL

      IF you don't reuse them then you don't have to...

      Big if there, and with so many websites around most people use one or two (hopefully) strong passwords on a number of sites. If any of them are compromised and the hashes decrypted (Lets face it brute forcing passwords ALWAYS works by definition) you now have a username, email address and password (as well as other personally identifiable information) that you can use to compromise other accounts.

      Random usernames, and passwords on all accounts for every web site you access are well beyond most mere mortals, but there are a number of devices and software solutions out there to do this, people just need to invest in something that works for them and start randomizing their passwords. Personally I like MyLOK from ii2p (www.mylok.com) but it's currently only available in the US due to export limitations on the technology. Just find what works for you and use it!

      0 0
  3. Anonymous Coward
    Anonymous Coward

    Good luck with that password reset

    I requested a password reset over two hours ago and I'm still waiting for the confirming email.

    0 0
  4. m0th3r
    FAIL

    Too late for security hire?

    Amazing that this comes two weeks after Zappos posted this job offer:

    http://sfbay.craigslist.org/sfc/eng/2776363301.html

    Looks like they badly need one! Also, how does blocking international traffic help? It's a stupid move, any self-respecting script kiddie knows how to get around this by using proxies, while legitimate costumers from outside the US cannot get at the info, nor reset their password. Huge fail.

    2 0
This topic is closed for new posts.

Other stories you might like