January 17, 2012, 4:05 PM — For many people, shoes are functional items of apparel. For my lovely wife, however, they are sacred objects. That's why she worships at the Church of Zappos.
On occasion I also shop at Zappos and its sister company 6pm.com, because a) I am stingy by nature, b) they offer great deals and even better customer service, and c) I would rather gargle with broken glass than enter yet another shoe store.
Which means that my wife and I are among the 24 million people who’ve probably just had their personal information stolen by hackers.
Yesterday we both received an email from 6pm.com that began thusly:
We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on 6pm.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).
That last bit is confusing, isn’t it? I asked Zappos to explain how its encrypted password can be decrypted; their response? “We’re not doing interviews right now.”
Breaking encrypted passwords isn’t as hard as it sounds, especially if the encryption algorithm isn’t exactly world class. Researchers analyzing the hack attack on Stratfor Global Intelligence last month are busy decoding the MD5 hashtags used for each password, just to analyze how insecure they are. Per IDG’s Jeremy Kirk:
With modest computing power and password cracking programs, many of those MD5 hashes can be decoded into their original password. The simpler and shorter the password, the faster it can be decoded.
In other words, the hackers don’t have our passwords yet, but with a little elbow grease (and weak passwords) they can probably get them.
Zappos/6pm responded by informing all of its users promptly and automatically cancelling their old passwords. Customers were directed to go to the site and click a button that would issue them an email for a password reset.
Of course, Zappos was purchased by Amazon two years ago. There’s no indication that Amazon was also affected by the attack, but if you use the same logon and password for Amazon as you do for Zappos (or other retail sites), now would be an excellent time to change them.