January 16, 2012, 10:45 AM

Zappos.com is hacked

The Amazon-owned e-retailer of footwear says a hacker breached its customer database.

Allison Enright


Lead Photo

More than 24 million customers of online shoe retailer Zappos.com received a notice last night that their personally identifiable information may have been stolen. An e-mail to customers said customers’ names, e-mail addresses, billing and shipping addresses, phone numbers, scrambled passwords and the last four digits of credit card account numbers may have been taken. The database that stores payment and credit card data was not compromised, the e-retailer said.  

Zappos is owned by Amazon.com Inc., No. 1 in Internet Retailer’s Top 500 Guide. The same e-mail was also sent to customers of 6pm.com, a discount shoe e-retailer operated by Zappos.

An e-mail sent to Zappos employees last night by Zappos CEO Tony Hsieh says a criminal gained access to parts of Zappos’ internal network and systems through a server in Kentucky and that Zappos is working with the FBI to investigate. He said the attack happened recently but did not specify precisely when it happened or how Zappos became aware of it. Zappos also posted a link to the employee e-mail on its Facebook wall and linked to it from Twitter. Amazon and Zappos representatives declined to provide further details.

Comments Zappos customers posted on Zappos Facebook wall today were largely supportive of the e-retailer, although some consumers said they had not received the e-mail Zappos sent to customers last night.

The e-mail to customers also informed them that Zappos had reset all customer account passwords and asked customers to create a new password for their accounts. Consumers on Facebook complained Monday that were delays in processing the new password requests, which required consumers to submit their e-mail address on Zappos.com and wait for an e-mail from the e-retailer. It took approximately five hours for Zappos.com and 6pm.com to respond to password requests submitted today by Internet Retailer.

Hsieh’s e-mail to employees alerted them that Zappos had temporarily turned off its phones because it expected that the volume of customer inquiries about the breach would overwhelm it. Hsieh asked that all employees, regardless of department, help answer customer inquiries via e-mail. “We need all hands on deck to help get through this,” he wrote.

“We’ve spent over 12 years building our reputation, brand and trust with our customers,” Hseih wrote. “It’s painful to see us take so many steps back due to a single incident.”

Customers who call Zappos’ toll-free customer service number today hear a recording that directs them to e-mail the company at help@zappos.com.

Comments | 2 Responses

  • The best action Zappos can take, if they are truly interested in looking out for the customer, is to dump all of the accounts and let people set them back up. The login id's should be considered just as sensitive as encrypted passwords.

  • zappos uses email address as username.

Sign In to Make a Comment

Comments are moderated by Internet Retailer and can be removed.

Not a member? Signup for free today!




Relevant Commentary


Sergio Pereira / B2B E-Commerce

Quill turns to its B2B customers for new ideas

Coming in April is a new section of Quill.com that will let customers and Quill ...


Charles Nicholls / E-Commerce

E-mail remarketing: three best practices to maximize revenue

Consumers who make it to the shopping cart are interested in buying. The chief strategy ...