As news broke over the weekend that Zappos had been hacked, customers of the popular online retailer were left asking themselves what they needed to do to protect themselves. The popular company, which is owned by Amazon, says it is sending an email to customers urging them to create new passwords, but as of Monday morning, this customer has yet to receive one.
Curious customers can, however, find information on the security breach in a link from a tweet by chief executive Tony Hsieh. In that posting he shares the email, which tells customers that current passwords have been expired and that they should set a new password immediately. He also warns customers against clicking on emails that ask for personal information, as those emails might come from the hackers. (Note to customers: Twitter is becoming the fastest way to get information from companies.)
Even more importantly, the company recommends that customers change their passwords on other websites that share a similar password to the one on their Zappos account. The email also directs customers to a webpage, www.zappos.com/passwordchange, for further assistance. (Note to Zappos: Why not provide an easy link to this information on the Zappos homepage within hours of the news first breaking? Not everyone follows Hsieh’s tweets.)
The company rightly expects a flood of customer questions related to the attack, and to prepare, Zappos has turned off its phones and is instead directing customers to use email. Hsieh points out that if even just 5 percent of customers placed a call, that would be over one million calls, which the phone system cannot handle.
As Hsieh’s post explains, the facts of the attack are alarming, but not overly so: While the records of 24 million customers appear to have been accessed, the information that the hackers retrieved is limited to phone numbers, email addresses, mailing addresses, and passwords. Full credit card numbers were encrypted, as required by law, and not accessed. That means the hackers can’t go on a spending spree with stolen card numbers.
Still, password access is no joke, especially given that many customers use the same passwords on retail accounts such as Zappos and financial accounts, such as banks. Anyone who does that should immediately change passwords on those more sensitive accounts. As a general rule, one should not double up on passwords, especially for important accounts such as email and banks.
Here are a few more password-protection tips that can help minimize the impact of this kind of hacker attack:
Avoid common words or names. Hackers (and their computer programs) can easily guess these words, so they don’t offer much protection from attacks.
Create a long password that only you know. The longer the password, the harder it is to guess.
Stay away from personal information, such as birthdays, sports teams, or children’s names. Anyone who knows you personally—or can find such information about you through social networking sites—will be able to make a reasonable guess at your password.
Use those old elementary school memory tricks. If you want an easy way to remember a complicated password, try making up a sentence about it. For example, “I love my dog Harry so much” can translate into the hard-to-guess password ILMDHSM.”
Having garnered years of goodwill from top-notch customer service and free returns, Zappos is likely to remain a customer favorite. But why not post easy-to-find instructions for customers on the website, or send out a mass email, before concerned customers hear about the problem second-hand through news reports? Or at least within 12 hours the news breaking? That would be truly stellar service.