For many people, shoes are functional items of apparel. For my lovely wife, however, they are sacred objects. That's why she worships at the Church of Zappos.
On occasion I also shop at Zappos and its sister company 6pm.com, because a) I am stingy by nature, b) they offer great deals and even better customer service, and c) I would rather gargle with broken glass than enter yet another shoe store.
Which means that my wife and I are among the 24 million people who’ve probably just had their personal information stolen by hackers.
Yesterday we both received an email from 6pm.com that began thusly:
We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on 6pm.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).
That last bit is confusing, isn’t it? I asked Zappos to explain how its encrypted password can be decrypted; their response? “We’re not doing interviews right now.”
Breaking encrypted passwords isn’t as hard as it sounds, especially if the encryption algorithm isn’t exactly world class. Researchers analyzing the hack attack on Stratfor Global Intelligence last month are busy decoding the MD5 hashtags used for each password, just to analyze how insecure they are. Per IDG’s Jeremy Kirk:
With modest computing power and password cracking programs, many of those MD5 hashes can be decoded into their original password. The simpler and shorter the password, the faster it can be decoded.
In other words, the hackers don’t have our passwords yet, but with a little elbow grease (and weak passwords) they can probably get them.
Zappos/6pm responded by informing all of its users promptly and automatically cancelling their old passwords. Customers were directed to go to the site and click a button that would issue them an email for a password reset.
Of course, Zappos was purchased by Amazon two years ago. There’s no indication that Amazon was also affected by the attack, but if you use the same logon and password for Amazon as you do for Zappos (or other retail sites), now would be an excellent time to change them.
Because scammers know better than anyone just how lazy people are when it comes to Internet passwords. According to a study by security vendor Trusteer, three out of four people use their bank logons to access at least one other site. So if they’ve got your Zappos password, they might have a lot more than that.
I’m as guilty as anyone. Aside from my bank and a handful of key commerce sites, I tend to recycle my passwords. There are just too damned many logons to remember. I’ve yet to find password vault software that is truly seamless (though I’m going shopping for a cloud-based one as soon as I finish this post).
I’m 95 percent sure I had different passwords for 6pm and Amazon. But 95 isn’t 100 percent, so I changed them both anyway. And you should too. More important, you should change your email password -- early and often.
Email passwords are the riskiest because they contain the key to every other account you own; they’re the place everyone sends your password resets. Even a halfwit hacker knows that once he gains entry into your email account he can simply reset your passwords to gain access to all your other accounts.
This is yet another wake-up call about Internet passwords – a really weak form of protection, and one that is desperately obsolete. Multi-factor authentication, encrypted single sign-on, even biometrics; anything would be better than this.
Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynan_on_tech. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.