Online shoestore Zappos.com got hacked. Among other things, the hackers got names, addresses, e-mail addresses, and encrypted passwords. That’s not as bad as getting unencrypted passwords, but there are some things you need to do immediately if you shop at Zappos.com.
First, of course, is change your password. And if you used the same password anywhere else–anywhere!–change it there too. Don’t ever use that password again.
The attackers got the encrypted passwords, but you’d better believe there are vast herds of lowlives working to try to unencrypt them now. That will take some time, but depending on how Zappos encrypted them, it may be only a matter of time before someone manages to decrypt the simplest passwords. Collections of dictionaries encrypted with the most common encryption schemes exist online, so all it really takes is running those collections up against the stolen data and looking for a match. It could be a matter of days before the easiest passwords become known.
It’s possible that the passwords are encrypted well enough that uncovering them is computationally infeasible–I won’t bore you with the specifics of how that works–but we’ll never know that. It would be irresponsible for Zappos.com to release the information required to make that judgment. So the responsible thing to do is assume the worst.
If you have any other online accounts where your username is the e-mail address you used at Zappos.com and the password is a simple dictionary word, change that password immediately. I wrote this past summer about choosing passwords.
And unfortunately, you’re probably going to get more junk mail and spam now, because the lowlives who stole the information will sell it to marketers. There’s not much of anything you can do about that. Modern hackers are motivated by money, and a collection of known-good postal and e-mail addresses is a quick source of it.