questionshave you heard about


They did say that the database that stores the critical cc info was not affected...

I was fortunate enough to not have any pertinent info saved on the site. Just name and email, as I have an account, but have never made a purchase.

I've always been curious as to how these things happen. Sure, I know my way around a computer, but nowhere near enough to crack/hack/phreak, etc...

Truly interesting, and scary!


Got the same email from, which is a sister/subsidiary of Zappos.


Yep.. I also just got an email from


I haven't received an e-mail from them yet and I have shopped there within the past couple of months.


I ordered from, earlier this month. No email, yet. I paid with PayPal. I'm wondering if I will get an email.


Interesting. Doesn't show up on Dataloss, but then again, I don't pay attention in the way I used to.

Other than your brief commentary on Deals, I'm not finding it. Maybe it'll show up tomorrow. Now you've got me curious; I may be back.

[Edit] Now this is fun:

Thanks. I love entertainments, and this certainly qualifies.


I didn't even know Zappos owned until I got the email this morning.


Amazon owns Zappos and Amazon owns Woot...let's hope this is just limited to Zappos

s21 s21

@s21: Funny you say that. My credit card was hacked yesterday. I always use PayPal and the only site I have bought from lately where I used my credit card was Woot. No offense Woot, I'm sure the hack job could have come from anywhere. It was an online charge to a bookstore in Phoenix Arizona. I caught it immediately, in a pending status, so the fraud dept. from my CC company shut down my card asap and that was that. No big deal, such is life...


For everyone's reference that's starting to be concerned. Amazon's customer database (especially the financial information) is separate from any of its subsidiaries. In addition, this is true of Woot (unless things have changed in the past few weeks, and I strongly doubt it).

Zappos may or may not share a back end with 6PM. I shop at neither, and so will not have investigated them. Yes, I'm that crazy. I don't give random strangers, even well known ones, my information, without doing some fairly serious research.

There's still nothing much out there about this, but it is the weekend. I may show back up on Monday, or perhaps Tuesday, with other information. It just sounds like a few accounts were compromised, and (at least so far) no word on what really happened.

Could have been a drive by, could have been internal, there's just so many interesting possibilities...


Interesting. I didn't get one of those emails, but I also haven't ordered anything from zappos in about 2 and a half years. Maybe they only got info on recent purchasers.


@shrdlu: I'm curious to know how it happened!


Now here's the catch, "We also recommend that you change your password on any other web site where you use the same or a similar password". From what I've read, the passwords were cryptographically scrambled, but it seems they're a little worried about it.


Here's a clip from the email sent to 6PM employees:

We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with law enforcement to undergo an exhaustive investigation.

Because of the nature of the investigation, the information in this email is being sent a bit more formally, and unfortunately we are not able to provide any more details about specifics of the attack beyond what is in this email and the link at the end of this email, but we can say that THE DATABASE THAT STORES OUR CUSTOMERS' CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED.


I think this is a very good statement made by a user on SlickDeals:

"What matters is that if you used the same email and password combo with ANY other website (ebay, amazon, bank, credit card, etc.), then the chance exists that if the entity that is responsible for this hacking is able to decrypt your stolen password, they will potentially be able to login to your account on any other website you have used that email address and password combo."


did not get an email. have bought off in the past 6 mos though... guess i'm not effected! Ignorance is Bliss!


Received an email from a few hours ago. Also a customer of Zappos, but I have not seen anything from them yet.


It is a website very popular in UK. They sell fashion dresses.


@missellienc: Depending on how passwords are stored (and how strong they are) they can be decrypted. It's easiest when the password is simple (a single word, or a single word + a number or two), as the real password can then be found using a rainbow table.

Though they say that credit card information wasn't touched, do beware. Several other high-profile hacks that believed such information wasn't accessed found out down the road that it actually was compromised. For example, IIRC the big sony online hack originally said that it wasn't affected only to find out down the road that some actually were.

The short of it is, anyone that uses a retailer that gets compromised at all should always check their credit cards and change any passwords that may have been the same or close to the same. Sure it's inconvenient, but it's a LOT less inconvenient than dealing with the aftermath if your credit card or another site account gets hijacked.


@claudicina: For some interesting but scary background on how such data theft is done, try these stories:

Factual story:

More detailed, documentary-style:

(I love the second one, primarily because it points out how one curious cop helped unravel the entire crime.)

I often tell my credit union's members about Gonzalez, because it's one of the few cases which actually ends up with a conviction and incarceration. We don't often hear good news about this type of crime.


@magic cave: Nice! Thanks for the links they're great!


@magic cave: I better brush up on my SQL...

SELECT Name, Phone, Address FROM Users WHERE Id=1 UNION ALL SELECT creditCardNumber,1,1 FROM CreditCardTable


@claudicina: As I'd suspected, the fit hit the shan this morning. Here's a nice central clearing house where most of the interesting information is collected.

{Spend a little time on the dataloss site so that you'll know what all their acronyms mean. I used to be on the mailing list, but unsubscribed from all the security mailing lists a couple of years ago.}


@shrdlu: That's crazy! Lucky for me a list of the acronyms was at the bottom of the page!


I was a casual customer of 6pm's but that ceases today. Mainly - it wasn't the fact that they were hacked, but rather the responses i've been getting from customer service in response to my inquiries. (note: inquiries, not complaints)

it was a flippant "lawyer up" tone with too much defensiveness, given the nature of the breach and my legitimate question regarding my data.