Zappos customers got a rude awakening Sunday.
Emails sent to customers and employees by Zappos CEO Tony Hsieh warned that personal information may be in the hands of hackers who were able to gain access to the company’s internal network.
The online shoe retailer’s database that stores customer’s credit card and other payment data was not affected or accessed, security emails stated. However, customers’ names, e-mail addresses, billing and shipping addresses, phone number, the last four digits of credit card numbers and the cryptographically scrambled passwords, (although not the actual password) may have been tapped into.
To protect customers, Zappos expired and reset passwords to all online accounts. Current customers will be prompted to create new passwords when they access their online accounts.
“The most important focus for us right now is the safety and security of our customers' information,” Hsieh said in an email sent to employees. “We will begin the process of notifying the 24-plus million customer accounts in our database about the incident and help step them through the process of choosing a new password for their accounts.”
The company recommends that customers change their passwords on any other webite where that same or a similar phrase is used, the email said. Zappos.com never asks customers for personal or account information in an e-mail, so customers should be cautious if they receive an e-mail or phone call that asks for personal information.
Zappos has temporarily turned off all phones and are directing customers to contact support teams through email due to the large volume of inquiries expected. “If 5 percent of our customers call, that would be over one million phone calls, most of which would not even make it into our phone system in the first place,” the email said.
“We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident. I suppose the one saving grace is that the database that stores our customers' critical credit card and other payment data was not affected or accessed,” Hsieh said in an email.