PORTLAND, Ore. — Online shoe seller Zappos.com says a hacker may have accessed the personal information of up to 24 million customers.
Customers’ credit card and payment information was not stolen, but names, phone numbers, email addresses, billing and shipping addresses, the last four digits from credit cards and more may have been accessed in the attack, according to an email that CEO Tony Hsieh sent Sunday to employees.
Hsieh said the company would notify the more than 24 million account holders about the information that might have been obtained. The messages will encourage customers to create a new password for both Zappos and “any other website where you use the same or a similar password.”
The company had already reset all passwords, the email said.
Zappos said the hacker gained access to its internal network and systems through one of the company’s servers in Kentucky. Zappos is based near Las Vegas. It is owned by Seattle-based Amazon.com.
Hsieh said the company temporarily shut off its phones, directing customers to correspond by email because the phone systems could not handle the expected volume of inquiries.
All employees at the company’s headquarters in Henderson, Nev., would be asked to assist customers, he wrote.
“We’ve spent over 12 years building our reputation, brand and trust with our customers,” Hsieh said in his email.
“It’s painful to see us take so many steps back due to a single incident. I suppose the one saving grace is that the database that stores our customers’ critical credit card and other payment data was not affected or accessed.”
The New York Times contributed to this report.
Online
Zappos.com information on password change for customers: www.zappos.com/passwordchange
CEO email and statement: http://blogs.zappos.com/securityemail