Up to 24 million Zappos Accounts HACKED!

On January 15, 2012, the online shoe seller, Zappos.com, announced that a hacker may have accessed personal information on up to 24 million customers.  Access was gained through its internal network server in Kentucky.  The personal information possibly includes names, phone numbers, email addresses, billing and shipping addresses, encrypted passwords, and the last four digits of credit cards.

Only responsible for $50 of fraudulent purchases on credit cards

Since the complete credit card number was not in the server, they cannot use your credit card for other purchases.  Even if they did, you are only responsible for the first $50 that is fraudulently charged on your card, when it is due to identity theft. The card issuer usually waives this fee.  We can thank the Fair Credit Billing Act for that one.The real issue is what the hackers can do with your personal data.  They have enough information to open accounts, send official emails seeking information and have passwords that may be the same at other sites.

Hackers have data to access accounts

They have your email, address, encrypted password and last four digits of your credit card number. The hacker can send you an email from Zappos or another company and you would think the email is legitimate. This can catch you off guard, especially when they use the logo from the company which seems to be legitimate. Unfortunately, some hackers can decrypt passwords, especially those that aren’t very strong.  This information can be used to access other online accounts, if you reuse the same password for your accounts.

What should you do? 

First you need to change your password on your Zappos account, if you haven’t done so already.

Change the password on accounts using the same password you used for Zappos. Use unique passwords for all accounts; this will probably require a list that is stored in a safe place.

Don’t respond immediately to emails for Zappos or accounts using the same passwords. Make sure the emails are legitimate.  Don’t provide any personal information.

Monitor your bank statements and credit card accounts.  Zappos customers will probably be given free credit file monitoring and fraud alerts.

Consider freezing your credit file.

Avoid using your birth date or mother’s maiden name for security questions, use information not available anywhere.

A consumer has already filed a law suited against Amazon.com Inc., the company that owns Zappos.  The consumer wants to represent Zappos’24 million customers in a class action law suit. The suit claims Amazon violated federal consumer credit laws by failing to protect personal information.  This consumer is seeking unspecified damages and a court order requiring Amazon to pay for credit monitoring and identify theft insurance.

The bigger issue might be should you still be shopping online considering that the bad guys are becoming more savvy, more organized and more centric in their attacks. I expect cyber attacks to be as common as car accidents. Every time you put your information on the World Wide Web, no matter where you do it, there’s a possibility of someone finding it. But that doesn’t mean we’re going to stop doing it.  We shouldn’t allow this to put us in a mode of online paralysis. We’re all essentially at risk and need to be more careful.

Credit Damage Expert, John Ulzheimer, is the President of Consumer Education at SmartCredit.com, the credit blogger for Mint.com, and a Contributor for the National Foundation for Credit Counseling.  He is an expert on credit reporting, credit scoring and identity theft. Formerly of FICO, Equifax and Credit.com, John is the only recognized credit expert who actually comes from the credit industry.  Follow him on Twitter here.

Categorised in: Credit Cards, Credit Monitoring, Credit Report, Credit Score, Identity Theft, Money & Identity

This post was written by John Ulzheimer