News Item

Zappos Breach Illustrate the Need for Stronger Password Rules

By: Fahmida Rashid, eWeek

The latest breach with online clothing and apparel retailer Zappos.com highlights the importance of password security, according to security experts.

Cyber-attackers breached one of the company's servers in Kentucky and accessed "one or more" pieces of personal information, including customer names, email addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers, and user passwords, Zappos.com CEO Tony Hsieh said in a Jan. 15 email sent to employees and customers. Hsieh said credit card data was stored in a separate database and was not breached. The passwords were "cryptographically scrambled," Hsieh said.

While Zapos.com immediately reset the passwords for all customers and quickly communicated to employees and customers about the breach, security experts said the company should have provided additional information.

"An appropriate response includes more detail of 'how did they get in, where did they go and what was accessed, seen, and removed from the network?'" Alan Hall, security expert and director at Solera Networks, told eWEEK.

Kurt Baumgartner, a senior security researcher at Kaspersky Lab, agreed, noting that Zappos "did the right thing" by clearly communicating what data was accessed and what was not, all of which should be "standard, timely stuff" for breach notifications.

Read more...