LastPass FTW! The attacker will reverse my password just to find a bunch of unusable bits :). What would be even cooler is an API on top of LastPass that sites like Zappos could hook into to force a behind-the-scenes change of passwords, similar to revoking a compromised certificate. Essentially, since there is some lead time after the breach is discovered and before the attacker manages to crack the long, random passwords, their efforts would be futile by the time they are done since all LastPass passwords would have already been changed.
Or we could just stop using passwords everywhere and not have this problem again. Anybody? Anybody?
Disclosure: I have no affiliation with LastPass beyond being a satisfied user.
I used to have three different passwords of varying complexity that I shared across sites.
When Gizmodo's database was compromised and I didn't know which password I used there, I decided to stop using the same set of passwords everyone and started generating and storing my passwords using 1Password. It's a little annoying to use on my iPhone (particularly having to type my long master password on the soft keyboard), but it's dead simple to use on the desktop and I recommend it to everyone. I still have some sites that use my old passwords, but 1Password's Smart Folders let me search my passwords for those and I plan on changing those today.
(I haven't used LastPass so I can't comment on how it compares to 1Password)
This is exactly what I do and I've switch friends and family over as well.
Whenever they bring up the perceived inconvenience (which goes down on the desktop with practice) I simply remind them how much time they will waste if one of their accounts is compromised.
Sure their foursquare (or pick another random service that doesn't hold EXTREMELY important data) account isn't that important but when it uses their Gmail address and has the same password they are just begging for trouble.
Also this gets them out of logging on to their Gmail and Facebook accounts from public computers. They still don't fully understand the possible problems but at least now it is such an inconvenience they just use their own devices.
> What would be even cooler is an API on top of LastPass that sites like Zappos could hook into to force a behind-the-scenes change of passwords
How would Lastpass protect against an attacker masquerading as the third party website? (Especially considering this feature would be used when a website finds itself compromised.)
Maybe an API is an overkill in this case. Instead, a simple web service with a twist: Zappos has a private key and LastPass has the corresponding public key. Now, if Zappos.com is compromised and the breached is discovered and fixed, their CEO/CTO/head security guy grabs the private key and authenticates to LastPass, telling them that he is in fact who he says he is, and finally triggers the massive automatic password reset. Obviously, this will not work if the private key is compromised, but then again, our whole web security paradigm is "trust that the website owner knows what s/he is doing", so this is already a step up.
Or, as I mentioned, let's do away with passwords. Anyone can have your public key so long as your private key stays private.
Well, lastpass doesn't store the passwords on its servers in a way that they could just change. From my understanding the database is only decrypted on the client machines when the master password is entered.
Still, the idea of a service for handling this makes sense. Rather than one based on a single vendor, a simple API for querying compromised domains would handle it. Then the lastpass extension can call that api for a list of the user's domains and see if anything needs to be changed. Being more general (just giving out information about recently compromised sites) also seems more useful, in that people would do a lot of different things with it.
There was also the XSS flaw in Feb last year that allowed an attacker to retrieve your email address, your password reminder, the list of sites you log into and the history of your logins, including which sites you logged into, the time and dates you logged into them, and the IP addresses you logged in from.
Well they said that their database was compromised and they were not sure what was accessed.
So I stopped using them after that incident.
It was a while ago I don't remember the particulars, but I do remember they said they were not sure if someone stole everyones password so everyone should change their master password to be safe. So I deleted my account to be safer.
Well they said that their database was compromised
No they didn't.
I don't remember the particulars
Then why do you make such explicit claims about what happened? They spotted a traffic anomaly on their network and went into complete paranoid mode. It is completely unknown, even to them, whether someone unauthorized accessed their database or whether they just couldn't account for some traffic on their internal network.
I don't know anyone else that monitors the traffic on their network to detect unauthorized access and I know many companies that don't. That's already a huge plus and it makes me trust them with security in general all the more.
For that reason, I find the 1Password model more suited to my tastes. Using Dropbox to sync, it works just as nicely and I'm not beholden to a third party central database (LastPass).
Hi. I'm customer outside of US and I received the email, went to site to reset my password and "We are so sorry – we are currently not accepting international traffic" - WTF? (sorry, but there is your logic?)
Just a precaution while we asses and deal with this. Zappos doesn't ship internationally so we hope this isn't affecting many customers. But to those that are, we apologize. As soon as we can we'll re-enable traffic from outside the US.
I for one would love Zappos to ship internationally, and your owners at Amazon already do. I know you can't comment, but please do what you can to push for selling to the other 6.7 billion of us.
I'm in Chile as part of Start-Up Chile. What exactly do you need? PS - I am also a US customer. A block on international traffic effects more than just international customers.
Ah, I understand now. You mean you want companies to just replicate Zappos outside the US. Any chance that there could be a "Zappos API" where we could while label Zappos, and pick-up the goods at the Zappos warehouse for foreign shipment?
I think they developed Javari in most of their European markets and logistics are handled by Amazon themselves.
Zappos is operated completely separately from Amazon so in order to expand internationally they would have to roll their own operations internationnaly.
As a developer who fears these kinds of attacks on my own sites, is there anything you are able/allowed to reveal regarding how the attack happened, how it was discovered, and/or how it could be prevented?
Good job on not storing or sending clear text passwords. However, as others have indicated, we would like to know more about the hashing method used.
As a side note, I was horrified to discover that Hertz sends passwords (as part of password recovery) in the clear. For those using Hertz, you should take the appropriate precautions.
+1 for bcrypt - "ordinary" hashing algorithms were made to compute as fast as they can, which is exactly the opposite of what you will want for your system. Rainbow tables are so quick and easy to make - IIRC it currently takes only some hours to compute all MD5 hashes for passwords up to 8 characters long on a system with some good graphic cards.
What you want is an algorithm which takes an up-to-date system some 10-100ms to compute a hash - bcrypt is configurable in its complexity (time to compute hash), and you should adapt the parameters every 1-2 years to increase the complexity.
Security through obscurity should not used. Just saying. IMO, revealing the method used should not become an issue just like the reason why the more trusted crypto algorithms are publicly posted.
That said, bcrypt and a time/attempt limited lockout should go a good ways in securing your site.
Salt. Seriously. A big, long, gnarly-looking salt. Preferably a unique salt per user. Really, even just that is sufficient, even if stored right next to the hash. It means doing a bruteforce/dictionary attack one user at a time rather than one bruteforce/dictionary attack of all the users at once (static salt) or just googling the hash (unsalted hash).
Also, are these passwords encrypted or hashed? Those two are miles away from each other and you guys are using both words nearly interchangeably. If encrypted, where is the key? Was it compromised?
MD* - No, SHA* - No, Bcrypt - Yes!, Scrypt - Not yet (PDI). Make sure you also calibrate the work factor for Bcrypt, too. Then, write a blog entry about your findings.
Plaintext passwords never touch our database. Expiring everyone's passwords was a security precaution given the fact that our non financial customer data was compromised in the first place. I can't comment on what lib or algorithm we use to encrypt our passwords since I don't work on that team.
Obviously in this kind of situation we (Zappos customers like myself) need to change any re-used passwords since the stolen unsalted hashes :( can be cracked. However, I have no idea which of several passwords I used at Zappos! I would normally just try logging in with each of them, but since you've reset all passwords, it looks like I won't be able to. Is there any chance of helping with this? I need to make sure it wasn't a password I use on any important sites (or derived from such a password).
I'm looking for the data dump right now, in case it was posted publicly--that's probably the only way I'll be able to answer my question since I doubt Zappos will cooperate :(
As someone who was just bit by the Stratfor data loss, this is the second month in a row. Fortunately my Stratfor password was worthless, but I had my credit card stolen and used to pay for video games. And now my email and street address are public information.
Most likely your password reset email is in the queue to go out. Emails are slow to go out due to the massive volume of outgoing email we are trying to send out.
"dear bestnameever, i know about those high heels you bought, and i happen to know you don't have a girlfriend. $1000 in unmarked bills or we tell your father you're a cross-dresser."
Or the incredibly geeky wife who suspects her husband is showering the hot secretary with shoes and handbags, and confirms it by poring over the breached data.
All Zappos customers will be receiving the email linked to in this thread. If you haven't it might be in your spam folder or it might still be queued to go out. The link above is the same as the email contents.
I apologize if my question was unclear; that's almost certainly because of a lack of expertise on my side.
On one end of the spectrum, I envision the same salt used for every user, allowing for the easy and effective creation of rainbow tables. On the other end, I envision unique salts with many bits of entropy for each user, making rainbow tables technologically infeasible.
Agree. So many companies don't act like grown-ups and just try to cover up the problem.
Still, it's going to be pretty tough getting your average customer back who hears they've been "hacked" and are afraid to create a new password. Not to mention the average customer's password is probably the same password across facebook, gmail, etc.
While they do get "+1" for this, they haven't provided any further details of what exactly they did with the passwords. Did they use a salt? Was the hashing algorithm MD5, bcrypt, or something else? If they used MD5 with no salt, your password may not be much more secure than a clear text password unless it's particularly complex.
Subject: Information on the Zappos.com site - please create a new password
First, the bad news:
We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mailaddress, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).
THE BETTER NEWS:
The database that stores your critical credit card and other payment data was NOT affected or accessed.
SECURITY PRECAUTIONS:
For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password.
We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.
PLEASE CREATE A NEW PASSWORD:
We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the "Create a New Password" link in the upper right corner of the web site and follow the steps from there.
We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at passwordchange@zappos.com
As a rule, anytime something like this happens, you should change your password (and any other place you use the same password or a variation of it). That being said, we are bursting the emails (as I believe Dylan commented already). Spam filters being what they are, it's possible it may be in there, so I would suggest you change your password.
My thanks to Zappos for that email. It was enough for me to give my wife necessary suggestions to secure her associated accounts without alarming her.
It is probably worthwhile in these situations to provide basic implication info for laymen, i.e. implications of "your cryptographically scrambled password."
I've been having issues with Zappos for a couple days. I called up support yesterday and they said they were "upgrading the website and had bugs they were trying to get fixed." Not sure if this is related or just a coincidence.
Probably coincidence. Companies that expect a lot of Christmas traffic minimize changes from Thanksgiving to Christmas, and web retail gets more traffic during business hours in America, so I expect that this weekend and last weekend saw a lot of code deployments, and so things are more likely to be broken specifically right now than pretty much any other time of the year.
Or we could just stop using passwords everywhere and not have this problem again. Anybody? Anybody?
Disclosure: I have no affiliation with LastPass beyond being a satisfied user.