There has been a lot of news recently about the intrusion of the Zappos.com customer data whereby hackers gained access to data including "the name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password)."
Zappos, now part of Amazon, responded with an email to all of the 24 million plus account holders with the above information. They also went on to say that they have "...expired and reset your password so you can create a new password."
Now, at first glance this seems like a great sequence of events but I'm now wondering what my password was for Zappos because I didn't save that password any where. This leads me to now question if I used the password on another website. It would be great if I used a different password on every site I have but with over 250+ logins to accounts it's damn near impossible to have a different one to them all.
Let's just hope that I can somehow obtain the old password either from the standard password reset process via the website or I at least hope they still have the hash of the password I used for the site. The hacker has it so I hope Zappos still does. I have yet to go through the password reset processes as they aren't allowing access outside the US currently.
[Update 2012-01-17 22:55]
I contacted Zappos via their passwordchange@ address they indicated earlier today to let them know what I said above. They came back to me rather quickly which is fantastic considering the number of enquiries they must be receiving.
I asked them if they could send me that hashed version of my stolen password. The one they told me was compromised via their email. I said I no longer knew which one I used, I use many, but like most, I re-use some here and there.
I was told:
Thank you for your response to our earlier email. We would like to extend our sincerest apologies for the inconvenience this may have caused and we truly understand the severity of the situation.
Unfortunately, we do not have access to any of your previous passwords, so we are unable to have this re-sent to you. However, if you attempt to reset your password to a previously used password, the system will decline the attempted password reset. So, if this occurs, this may serve as a strong indication to you that this might be the password in question.
I emailed back stating that if you're checking against old passwords then you must still have the password hash. I can't access your website at all to reset it, could you talk to a developer and get this for me please. I was shocked to receive this:
As indicated in the previous email, your old password has been reset and expired; therefore what it may have been is no longer of importance. We recommended that you update subsequent online accounts if you consistently use a similar password as an added precaution. This link below will take you to our website and allow you to create a new password in order for you to access your Zappos.com Account: zappos.com/passwordchange
Knowing what password I used at Zappos will unlock the mystery to which of the 250+ other accounts I need to change my passwords on.
I'm waiting for a reply back from my explanation of how critically important knowing my old password is and the fact that I can't access and reset my password on their site. Hopefully there's some time for them to address this on their today. Mine is over for now. I'm going to sleep. More to follow.
Posts
1 comments:
what a fantastical blog page
Post a Comment