Online shoe and apparel outlet Zappos.com has apologised over a massive data breach that exposed the personal details of millions. Up to 24 million customers of the Amazon subsidiary may have been affected by the breach, which exposed names, email addresses, addresses, phone numbers, and password hashes. Zappos stressed that …
Clearly still much work for us to do in securing networks.
If every such organization seeds their databases with a small percentage of unique fictional but plausible customers, with credit card details also reserved for tracing, then a trail would lead back to those connected with the hacking, and the data would be much less valuable.
But of course, store the information about which are the seeds in a separate seriously encrypted database.
Prevention is much better than mitigation.
not mutually exclusive
Best is of course both prevention AND mitigation.
Why change passwords?
If it was storing password hashes - as the article says it was - why are users being advised to change those passwords on other systems?
Presumably the hashes were unsalted or the salt was also taken. Either way the attackers can create a rainbow table to determine the clear text password. A few years ago it would have been deemed impractical because of the processing power required, but not these days. You can build such a table in just a few minutes via Amazon's Web Services cluster and it will only cost a few dollars.
IF you don't reuse them then you don't have to...
Big if there, and with so many websites around most people use one or two (hopefully) strong passwords on a number of sites. If any of them are compromised and the hashes decrypted (Lets face it brute forcing passwords ALWAYS works by definition) you now have a username, email address and password (as well as other personally identifiable information) that you can use to compromise other accounts.
Random usernames, and passwords on all accounts for every web site you access are well beyond most mere mortals, but there are a number of devices and software solutions out there to do this, people just need to invest in something that works for them and start randomizing their passwords. Personally I like MyLOK from ii2p (www.mylok.com) but it's currently only available in the US due to export limitations on the technology. Just find what works for you and use it!
Good luck with that password reset
I requested a password reset over two hours ago and I'm still waiting for the confirming email.
Too late for security hire?
Amazing that this comes two weeks after Zappos posted this job offer:
Looks like they badly need one! Also, how does blocking international traffic help? It's a stupid move, any self-respecting script kiddie knows how to get around this by using proxies, while legitimate costumers from outside the US cannot get at the info, nor reset their password. Huge fail.