I received two emails from shoe e-tailers 6pm.com and Zappos.com yesterday concerning a security breach on their Web sites. Certain bits of user information were compromised, including:
- Your name
- E-mail address
- Billing and shipping addresses
- Phone number
- The last four digits of your credit card number
- Your scrambled password
Credit card and billing information was supposedly not compromised as of this writing (January 16, 2012).
One thing not mentioned — and I wished that this was communicated — was when the breach was identified, how long it was allowed to remain open before patching, and for how long it had been going on.
So, what are you supposed to do?
Zappos and 6pm want you to change your password, and I have an additional suggestion.
Change your Zappos and 6pm.com passwords
You’re going to have to do this step if you ever log into Zappos.com or 6pm.com again. Both sites will force you to reset your passwords, so if you’re a customer at both sites you’ll have to do this twice.
- Attempt to log in as normal.
- You’ll see a screen like this (taken from 6pm.com):
- Click the big red button, then you’ll see a screen like this:
- As of this writing, it took about fifteen minutes for the emails to come through from either site.
- The email contains a secure link that forces you to change your password. The password has to be at least eight characters long and must contain letters, numbers, and symbols
You will receive one final email about fifteen to thirty minutes later stating that your password was successfully changed.
Use different usernames and passwords for EVERY site
So, in addition to the above, you should really consider using a password management program. I have different passwords for all of my online accounts. If 6pm or Zappo’s servers were hacked to the point where they retrieved my password they wouldn’t be able to compromise my logins on other sites. Remember how Sony got hacked multiple times last year? Sony stored user passwords in plain text, which means they didn’t even try to scramble them with encryption.
People who used the same username and password on other sites were in for big trouble. Many Sony customers reported fraudulent purchases on sites like Amazon, Target, etc because they used the same username and password over and over again. Once hackers got the information from one site, they tried using it on many other sites.
Don’t be that guy. At least use different passwords on different sites. Even big companies like Sony can fail to take rudimentary security precautions.
I’ve been using KeePass for about four and a half years now. Here’s my review, even if some of the information is outdated due to software updates. As of this writing, there’s a problem is you use the MONO environment, with a workaround until KeePass releases an official fix. If you have no idea what that last sentence means you are okay to use the standard 2.18 version.
There are other good password management software packages out there, but the idea is to not use the same password on different sites.
I hope that no one was adversely effected by the Zappos / 6pm account hack. Keep an eye on your bank accounts, credit cards, and credit file just in case.