Why the Zappos Hack Is A Bigger Security Problem Than the FBI Hack

You may have heard that some personal information for 24 million customers of Zappos, the online shoe-store giant, was breached last month. The hackers didn’t get access to complete credit card numbers (just the last four digits) or unencrypted passwords (just the encrypted ones), but they did get access to names and street, shipping and email addresses.

Then the following week, websites belonging to some of our highest government offices — the White House, FBI and Department of Justice — were shut down in a coordinated protest attack by the hacker group Anonymous.

Which event do you think was a greater security threat? Leaping lizards, it’s the shoe-store attack! Here’s why:

Zappos: A Super-Quick Anatomy of a Network Intrusion

Cyber criminals got into parts of Zappos network through one of its servers in Kentucky, according to the Zappos blog. The parts that were compromised included databases with customers’ names and other information but actual passwords were on different servers. Still, Zappos reset all 24 million account passwords as a precaution. They also recommended customers change any passwords on other sites that were the same or similar to their Zappos passwords.

Good idea. Because when hackers have your email address and a collection of personal information about you, it’s easier to get even more information to gain access into your accounts or convince you that their fake emails are real.

Anonymous: A Super-Quick Anatomy of a Denial of Service (DoS) Attack

The “hactivist” group Anonymous, which is really more like an open-source “brand” that any hacker can use, has been around since 2003 and strikes every month or so. Last month it pulled off its biggest attack to date when it temporarily blocked access to many major websites on the same day: the White House, FBI, Department of Justice, Copyright Office, Motion Picture Association of America (MPAA), the Recording Industry Association and other music industry sites. The goal was to protest Stop Online Piracy Act (SOPA) and Protect intellectual Property Act (PIPA).

Anonymous temporarily knocked the sites offline by sending massive amounts of traffic to them through a tool used to stress-test networks. While people were inconvenienced because they couldn’t access the websites, no information was stolen or breached in that attack and it posed no security threat. However, since hackers worldwide use the Anonymous brand, Anonymous events may from time to time be more than a nuisance. For example, after the DoS attack, Anonymous intercepted a conference call between the FBI and Scotland Yard and published the conversation online, which was about prosecuting the hacker community.