Zappos hack shows risk of using e-mail as your account username

If you’ve ever shopped at Zappos now would be a good time to take stock of the e-mail address and password you use most often to shop and bank online.

The popular online shoe retailer, a division of Amazon, disclosed on Sunday that hackers cracked its customer database to steal records for some 24 million customers.

The data thieves did not get any payment card numbers, because that data was encrypted, as required under the Payment Card Industry Data Security Standard.

But as is a common practice with many online retailers, Zappos did not encrypt its customers’ e-mail and shipping addresses, phone numbers, the last four digits of the payment card numbers and the account passwords.

Feinman

Retailers do not typically encrypt any data beyond what is required under PCI-DSS rules, which is enforced by VISA and Mastercard, because doing so can degrade a website’s performance, says Todd Feinman, CEO of database security firm Identity Finder.

Feinman says it’s technically trivial for corporations to extend encryption beyond payment card numbers to other consumer data known to hold value in the Internet underground. “Visa and Mastercard fight to protect credit card numbers, but there’s no one fighting for the individual consumer whose e-mail address falls into the possession of hackers,” says Feinman.

E-commerce has come to revolve around account usernames based on a valid e-mail address, and most consumers aren’t aware of the inherent risk that arrangement engenders. Many use the same e-mail address and password to create financial transaction accounts across multiple websites. Cybercriminals know this and are expert at taking full advantage.

Zappos customers should be on high alert for “phishing” e-mail crafted to lure them into divulging sensitive information, such as a Social Security number, or to clicking on a seemingly trustworthy weblink that actually installs a virus.

And they should be aware that the hackers are likely to attempt to use their Zappos account e-mail and password to attempt to find and  access their other online accounts. “The hackers will be crunching the password data to identify where weak passwords have been used – as those users often re-use passwords,” says Stina Ehrensvard, CEO of authentication hardware maker Yubico. “We’re highly likely to see the data being used elsewhere on the Internet in the coming days.”

(UPDATE 17 Jan 2012: Zappos did not store any clear text passwords. What the thieves took were password hashes, alphanumeric strings  substituted for the actual passwords. Free tools, called hash tables, can display password hashes as the associated password. Hash tables are widely available for free use, and particularly effective deciphering hashes for passwords that use simplistic combinations of letters and number.)

The crooks can also make productive use of the last four digits of a victim’s payment card numbers. “It’s one more piece of information to make the consumer think the phishing message is authentic,” says Feinman.

Zappos itself is sending e-mails to its customers asking them to create new passwords for their Zappos accounts. The company recommends users change passwords on any other website where they use the same or similar passwords.

Hsieh

“We’ve spent over 12 years building our reputation, brand, and trust with our customers,” CEO Tony Hsieh said in a blog statement. “It’s painful to see us take so many steps back due to a single incident.”

Notice of the Zappos breach follows the disclosure of the Christmas Eve break-in of Strafor.com, in which hacktivists stole, then posted online, credit card numbers and account logons for more than 50,000 of the online publications’ subscribers.

And 2011 proved to be an unprecedented year for headlines about major database break-ins at Sony, Google, Bank of America, RSA, Lockheed, Epsilon, Nasdaq Directors Desk and the U.S. Chamber of Commerce, among many others.

Security experts and technologists point to several developments that suggest the pattern is likely to continue in 2012.

Example of a hash table

Many corporate system break-ins begin by tricking one employee to click on a corrupted web link or open a poisoned attachment.

Such poisoned messages arrive by e-mail, seemingly from a trusted associate, or, increasingly, circulate in Facebook and Twitter. The increasing use of sharing applications — on workplace computers and mobile devices — multiplies opportunities for clever hackers. Even the largest, most sophisticated corporations are vulnerable.

“This is a harbinger for 2012” says Feinman. “This is the type of thing were going to see all year round.”

Ehrensvard

Yubico’s Ehrensvard agrees. “Until CEOs realize the cost of doing nothing, and ask difficult questions of their teams, we expect to see regular reports of breaches,” she says. “It’s no longer acceptable for a CEO to leave the security of their customers data to others. It is their responsibility when it’s stolen.”

The Zappos breach underscores a need for corporations, especially online retailers, to reassess the risks associated with routinely amassing mountains of customer data, and to consider beefing up database defenses, security experts say.

“As more consumers choose to shop online, it becomes even more critical for retailers to monitor for malicious activity and protect their customer information,” says Mandeep Khera, chief marketing officer at data monitoring firm LogLogic. “This diligence helps protect their brands, and helps avoid compliance penalties.”

Cenzic CEO John Weinschenk at least gives Zappos credit for  transparency.  “Zappos’ response to their loss of customer data should be emulated by other organizations,” he says. “They outlined for their customers exactly what happened, what was stolen, and what it meant for them.

“Zappos took the first step by making this attack and data losses transparent. Now they need to prove to their customers they can be trusted in the future and protect personal information. That will be an ongoing process.”