Zappos Breach Illustrate the Need for Stronger Password Rules
By: Fahmida Rashid, eWeek
latest breach with online clothing and apparel retailer Zappos.com highlights
the importance of password security, according to security experts.
breached one of the company's servers in Kentucky and accessed "one or
more" pieces of personal information, including customer names, email
addresses, billing and shipping addresses, phone numbers, the last four digits
of credit card numbers, and user passwords, Zappos.com CEO Tony Hsieh said in a
Jan. 15 email sent to employees
and customers. Hsieh said credit card data was stored in a separate database
and was not breached. The passwords were "cryptographically
scrambled," Hsieh said.
immediately reset the passwords for all customers and quickly communicated
to employees and customers about the breach, security experts said the company
should have provided additional information.
appropriate response includes more detail of 'how did they get in, where did
they go and what was accessed, seen, and removed from the network?'" Alan
Hall, security expert and director at Solera Networks, told eWEEK.
Baumgartner, a senior security researcher at Kaspersky Lab, agreed, noting that
Zappos "did the right thing" by clearly communicating what data was
accessed and what was not, all of which should be "standard, timely
stuff" for breach notifications.