Smart SpendingSmart Spending

You shopped at Zappos: Now what?

A security breach may have exposed 24 million customers to the threat of identity theft. Here's how to protect yourself when you buy shoes or anything else online.

By Karen Datko Jan 16, 2012 8:02PM

You can bet that Lisbeth Salander wasn't behind the hacking that compromised personal information of 24 million Zappos and 6pm customers through a company server in Kentucky. Fans know the mysterious Swede with the dragon tattoo hacks only for truth and her brand of justice. The folks who gained access to customers' names, regular and email addresses, phone numbers, last four digits of credit cards and/or "cryptographically scrambled" passwords were crooks. (Oh, yeah, and Salander is a fictional character, but let's not sweat the details.)


The security breach at Zappos and affiliate 6pm is yet another reminder about how vulnerable our personal information can be. Many of us shop in the online marketplace, so how do we best protect ourselves? Post continues below.

Before you panic, Zappos says complete credit card and other payment information was not accessed.


Here are steps to take with your Zappos (or 6pm) account:

  • Create a new password. Your old password has been retired, just in case the bad guys can break the encryption. If you're one of the 24 million, you'll get an email from Zappos or 6pm telling you to do this. Go to the Zappos website (or 6pm's) and click on the "create a new password" link.
  • If you've used your old password somewhere else, change that one too, Zappos says. Using the same password at two different sites is a huge no-no if you want to protect yourself from ID theft. But Zappos knows how lazy or unknowing people can be. It's a pain, but you need a unique and complex password for each site where you're sharing personal financial information.  
  • Look for updates at this Web page. You can also email Zappos, but don't try to call. They disabled the phones temporarily because the system couldn't have handled the anticipated volume of calls.

Here's what else to keep in mind no matter where you shop online:


When there's a security breach, crooks may try to target victims with email purporting to be from a legitimate company and asking you to click on a link and share more personal data. That email could be very convincing because they already know so much about you. Wrote John Fontana at ZDNet:

Imagine being contacted about an account six months after a breach by someone who had the last four digits of your credit card, your name and your address.
"I would find it really hard to immediately be suspicious of that," said (Fred Cate, director of the Indiana University Center for Applied Cybersecurity Research), who specializes in privacy, security, and other information law issues. "Those are all the indicators we teach people to know that a legit person is trying to contact them."

Thus, you have to maintain your vigilance. Zappos said, "As always, please remember that will never ask you for personal or account information in an e-mail." Neither will the IRS, the FBI, your bank or any other reputable business.



  • Be proactive and change your passwords regularly. Make them strong, using a combination of letters, numbers and symbols. Avoid obvious passwords like the name of your cat or the two most popular passwords of 2011 -- "password" and "123456."
  • Monitor your bank and credit card accounts, and use to pull a free credit report yearly from each of the big three credit bureaus.
  • If you have reason to think your credit card number has been compromised, call your card company.
  • If you think any of your personal information has fallen into the wrong hands, you can put a fraud alert on your credit reports. Another possibility is a credit freeze, but that's not appropriate for everyone.
  • Shop only at reputable websites, and look for "https" in the URL when you're placing an order.

Companies have to constantly work to stay a step ahead of cyber crooks. You also have to do your part.


More on MSN Money:

Jan 17, 2012 9:41AM
I would guess that most people have passwords registered with 200, 300 or even more merchants and other web-sites.  How in the heck is someone supposed to keep track of that many unique passwords?  It's not practical.  What's the answer?
Jan 17, 2012 12:27PM

Havanai ask what is the answer?


The answer is use a program like Roboform to remember all of your passwords. You only have to remember the one password to use Roboform and you only use that password on your own computer, not on the internet.


For the poster who thinks it is safer to not shop online. Everyday store clerks, waiters, etc are ripping off credit card info when they take your credit card to process the payment. In the store they get the whole credit card number along with the security code on the back, the expiration date and are able to copy your signature. Crooks do not limit where they practice and there are many more crooks that are not smart enough to hack the internet but smart enough to get a sales job or wait tables.

Jan 17, 2012 10:33AM



Check out programs like LastPass.  You come up with 1 really, really good password and use it for LastPass.  Inside LastPass you store your passwords for all websites.  Since you don't have to remember them, you can make them very random ( = secure).  Also, make sure your security questions have sufficiently private answers.

Jan 17, 2012 11:02AM
None of these recommendations amount to anything if the "hack" is done from the inside.
Jan 17, 2012 12:12PM
Pathetic article, short on facts, high on BS and typical old, over-hashed advice. The tie-in to the book/movie is just a search-engine grab.
Jan 17, 2012 11:35AM
Take one hacker, one murderer, one rapist, one bank robber, one white collar criminal to start. Department of justice purchase 30 minutes of airtime on every network during prime time, every six months.  Department of Justice borrow one used wood chipper from Parks and Recreation. US attornet General gives opening remarks to let the world know that this is what we do with criminals and signals ceremony to start. One by one the offenders are fed into the wood chipper on national television. In 24 hrs. the crime rate is cut in half saving twice the cost of the airtime and wood chipper cleaning cost. In six months the Us crime rate slows to the point where most police forces spend more time saving cats from trees than looking for criminals. Problem solved.
Jan 17, 2012 12:19PM
my mom just bought me shoes from zappos.  sorry mom.
Jan 17, 2012 9:01AM
i made a purchase from zappos yesterday
Jan 17, 2012 11:16AM


  One day they are going to tap into the wrong people and they will wish they were behind bars for their own safety.  Why does anyone want to buy online when it is as easy to go to a store, and get what is needed (for the most part, and use real currency.  The chance of getting robbed is much higher on the internet than in most towns.  Besides that, you don't have the business disconnect their phones for a day because the 'system can't handle the stress', you have living breathing people doing transactions with you and it makes jobs in your community not off somewhere in a warehouse.  The internet is fine for talking to friends, playing games and the like, but that is it.  It is and never will be safe.  Notice, they're trying to sell some new passwordless system-based on typing speed, and a bunch of bs (considering I might type 120wpm, then type 20 depending on multitasking, so whoever thought that us is an idiot)...anyway, how many of you have noticed that every time there is a breach, they're selling something to make things secure,   (or can it be that the targeted victims are actually pawns in the sale game of internet paranoia? 

Please help us to maintain a healthy and vibrant community by reporting any illegal or inappropriate behavior. If you believe a message violates theCode of Conductplease use this form to notify the moderators. They will investigate your report and take appropriate action. If necessary, they report all illegal activity to the proper authorities.
100 character limit
Are you sure you want to delete this comment?


Copyright © 2014 Microsoft. All rights reserved.

Fundamental company data and historical chart data provided by Morningstar Inc. Real-time index quotes and delayed quotes supplied by Morningstar Inc. Quotes delayed by up to 15 minutes, except where indicated otherwise. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by Morningstar Inc.


Smart Spending brings you the best money-saving tips from MSN Money and the rest of the Web. Join the conversation on Facebook and follow us on Twitter.