Over this weekend, Zappos.com and 6pm.com have been breached.
They have now blocked international IPs from various parts of their site.
It looks like the attack happened on Friday 13th as thats when lots of users got 403 Forbidden messages from the sites.
In the interest of security, everyone with accounts on these sites should change their passwords that they use on other sites (if they use the same password across different sites),
check your paypal and credit card statements carefully for unauthorised charges...
I wondered about that - I tried to access Zapppos, and got a message that they're no longer accepting international IP's. I sent them an irritated email - it always seems so offensive when websites don't allow international IP's to even view the website. It seems so much more melodramatic than just not providing international shipping options or something.
If they were hacked though, then I feel bad about the irritated email. Does anyone (who can actually access the site) know if it's a temporary measure, or going to be company policy from now on?
Ughh!! Thank god I don't save my CC info to the account profile when ordering online! When things like this happens, it makes me so paranoid about buying online!
If anyone wants to know here is the text of e-mail that was sent out:
"First, the bad news:
We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on 6pm.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).
THE BETTER NEWS:
The database that stores your critical credit card and other payment data was NOT affected or accessed.
For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password.
We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that 6pm.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.
PLEASE CREATE A NEW PASSWORD:
We have expired and reset your password so you can create a new password. Please create a new password by visiting 6pm.com and clicking on the "Create a New Password" link in the upper right corner of the web site and follow the steps from there.
We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at email@example.com."
Both sites have the same button at the top right of the page. But when you click it then the wait game begins. The system that generates the email that will allow you change your password is bogged down. It took almost a full hour for me to receive my email message, in fact I'm still waiting on the one from 6pm.
I got the email this morning. I've never ordered from Zappos but once I emailed them a question and they as a result made a VIP account for me.
I wonder how their business will suffer as a result. I know I'm not comfortable placing an order now.