As hacks go, Zappos’s attack over the past weekend could have been a lot worse.
If you’re one of the estimated 24 million affected Zappos or 6PM.com (an affiliate site) customers, you can take solace in the fact that only the last four digits of your credit card number have been compromised. Likewise, as Zappos CEO Tony Hseih explained in an email to customers on Sunday, hackers stole a cryptographically scrambled version of users’ passwords, not the actual password.
But even though the damage sounds pretty benign, security experts caution that affected customers may still see some fallout, including becoming the target of phishing scams and possibly still worrying about those compromised passwords.
Robert Siciliano, a McAfee consultant and identity theft expert, says he expects whoever hacked Zappos’s site will now sell the data to people who run phishing scams. “They’ll sell it 10,000 accounts at a time, short money, like $100,” he says. While hackers don’t have complete credit card numbers, Siciliano says there’s enough information for a hacker to approach affected users as either Zappos or the credit card company and then ask them for more data — the classic phishing scam — which might be supplemented with a voicemail “vishing” attack as well.
Siciliano warns users who got Hseih’s email to avoid clicking on links that purport to be from either Zappos or their credit card firm over the next few months. Phony emails and voicemail messages typically ask users to “update” their info, giving hackers access to more potentially damaging data.
That said, Siciliano says he can’t be sure how many people are likely to be targeted. “I was a PlayStation user and I didn’t get [targeted by phising schemes],” he said, referring to an attack on attack on Sony’s PlayStation Network last April. “But that doesn’t mean nobody was.”
Chester Wisniewski, a senior security advisor at Sophos, says another danger is that the hackers were able to decipher users’ passwords. Depending on the level of encryption, Wisniewski says this process can take anywhere from a few hours to a few weeks. “You can typically crack millions of [passwords] within hours with a single powerful computer,” he says. However, if Zappos employed password salting, then deciphering its passwords will take a lot longer.
A Zappos rep declined comment on the level of encryption the company uses for its password.
If the hackers do decipher user passwords, it won’t necessarily be dangerous in itself. The problem is that most people use the same password for multiple accounts. If a hacker knows what password you used at Zappos, he’ll probably be able to figure out how to hack your Facebook account as well.
Meanwhile, if the past is any guide, the damage to the Amazon-owned Zappos brand is likely to be short-lived. The chart below, compiled by YouGov’s BrandIndex, found that the PlayStation brand’s image took a hit after the attacks, but has rebounded since then and even hit a new high in brand perception over the holidays. BrandIndex’s data is based on a daily online survey of 5,000 Internet users. The score is based on an average of positive perceptions (+100) and negative (-100).
Zappos’s score just before the attacks was at around +7. While that will probably take a dip, Wisniewski says he expects Zappos’s damage from this latest attack to be similarly ephemeral. Says Wisniewski: “Most companies I see going through take a deep brand hit for a short time and then people move on.”