EcommerceBytes-NewsFlash, Number 2718 - January 16, 2012     1 of 5

Zappos Hacked, All Hands on Deck to Help Customers Reset Passwords

Email This Story to a Friend

Zappos sent an email to customers on Sunday informing them of a security breach. The letter said the database that stores critical credit card and other payment data was not affected or accessed, but some customer information may have been accessed, including name, address, phone number, and the last four digits of customers' credit card numbers.

In a separate email to employees, Zappos CEO Tony Hsieh wrote, "We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with law enforcement to undergo an exhaustive investigation."

As a precaution, Zappos reset the passwords of all customers, who must now visit Zappos and create a new password. The company also recommended customers change their passwords on any other website where they use the same or a similar password.

Hsieh told employees he made the decision to temporarily turn off phones and require customers to use email to communicate with the company due to the volume of inquiries he expects. "If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place," he wrote. Employees from all departments will be required to help assist customers.

The letter Zappos sent customers explains what kind of information may have been breached: "We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password)."

The letter also reminded customers to be on their guard for spoof emails - "As always, please remember that will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information."

Amazon acquired Zappos in 2009 in a deal worth $807 million with an additional $40 million in cash and restricted stock units for Zappos employees.

Update: Sister site also affected.

About the author:

Ina Steiner is co-founder and Editor of EcommerceBytes and has been reporting on ecommerce since 1999. She's a widely cited authority on marketplace selling and is author of "Turn eBay Data Into Dollars" (McGraw-Hill 2006). Her blog was featured in the book, "Blogging Heroes" (Wiley 2008). Follow her on Twitter at @ecommercebytes and send news tips to

You may quote up to 50 words of any article on the condition that you attribute the article to and either link to the original article or to
All other use is prohibited.