Zappos.com has taken pains to assure customers that their credit card information is safe after a data breach, which was reported over the weekend, compromised information of up to 24 million customers, including names, mailing and billing addresses, phone numbers, truncated credit card numbers and “cryptographically scrambled” passwords. But one cybersecurity expert says consumers shouldn’t be complacent when it comes to how their online data is encrypted, stored and sometimes left vulnerable. Zappos says that customers’ credit card numbers weren’t put at risk. But Tim Rohrbaugh, vice president of information security at Internet security consulting firm Intersections, says hackers could do plenty of damage with the information they did grab.
“Some of these details are what constitutes authentication at a call center or website,” he points out. This means a crook with access to, say, a person’s mailing address might be able to go online and pretend to be that person — and then possibly find out their credit card information or other details.
(MORE: Study: Your Card Info Is At Risk)
Zappos sent customers an email over the weekend instructing them to change their passwords to try and prevent further compromising of their personal information. The retailer, which is owned by Amazon, also recommended that customers change their passwords if they used their Zappos password on other sites.
Although Zappos isn’t saying, Rohrbaugh says it appears that the hack might have been the work of “malicious code” that infected one or more servers, as opposed to an all-out attack on the retailer’s main site.
(MORE: How Banks Are Aiding and Abetting Identity Theft)
But the bad news, Rohrbaugh says, is that reading between the lines leads him to suspect customers’ passwords could be exposed. “You look for certain words,” he says of how the company described the exposed information. In communication with customers, Zappos didn’t say that the compromised passwords were encrypted, only “cryptographically scrambled,” a virtually meaningless term that could indicate hackers might be able to easily figure out the actual passwords.
In an increasingly sophisticated criminal marketplace, hackers will keep files on victims, accruing pieces of information a little bit at a time until they have a profile they can use to open fraudulent accounts. “The thing people need to understand is the crime of identity theft isn’t just about credit card data,” Rohrbaugh says.
The most important step consumers can take is to use a variety of passwords for their online shopping, he says. Reusing the same passwords for multiple accounts heightens your chances of having your identity stolen. Rohrbaugh adds that another important, although easy, step is to create separate email accounts for your online retail activity and online financial services communication. That way, even if hackers gets into a retailer site, they won’t be able to trace that identity to your bank account or credit card.