Amazon-owned Zappos warns users after cyber-attack

Zappos website
Image caption Zappos says credit card and payment data was not exposed

Cyber-attackers have struck Zappos, the Amazon-owned fashion e-retailer.

The company has reset the passwords of 24 million customers and asked them to choose new ones.

It said names, email addresses and other personal information may have been exposed, but not full credit card numbers.

Though significant, other attacks have been larger. In 2010 a US court convicted a hacker of stealing details from more than 130 million cards.

Zappos, which was founded in 1999 by Nick Swinmurn, started out as an online shoe retailer but now sells clothing and accessories.

It was sold to Amazon for more than $1bn (£650m) in 2009.

In an email to staff sent on Sunday and posted on the company website, Zappos chief executive Tony Hsieh said: "We were recently the victim of a cyber-attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky.

"We are co-operating with law enforcement to undergo an exhaustive investigation."

Mr Hsieh added: "We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident."


Following the attack the company wrote to its 24 million customers asking them to choose new passwords for and any other site where they may have used the same or similar password.

The email said the attack had potentially exposed the name, email address, billing and shipping address and phone number of customers.

It also warned that "the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password)" may have been exposed in the attack.

However, in his message to company staff Mr Hsieh stressed that the credit card and payment database had not been accessed.

More on this story

Related Internet links

The BBC is not responsible for the content of external Internet sites