Zappos Data Breach

Zappos.com recently had a data breach. As data breaches go, it was not nearly as bad as it could has been: no full credit card numbers leaked, nor any plaintext passwords. What makes it special, then? It’s somewhat special to me, since it is, to my knowledge, the first time that I have been part of a data breach: I have a Zappos.com account, and I received the email about the breach. Notice I said “to my knowledge”; plenty of data leaks don’t get reported. I haven’t been a part of a major one, though, at least according to pwnedlist.com, where you can check to see if your email address or username has been leaked.

There are a few things still not known about the Zappos breach, such as how they were compromised and, more importantly, whether the password hashes (it’s presumed that “scrambled” means hashed) were salted. Important questions, true, but I am not worried in the least. Why? Because I used a password manager, and so I don’t care about the password being compromised. In fact, here’s my old Zappos password: “TaH8pcEloWsb8R1nrol2”. It’s useless now, because it’s been changed, and more importantly, it’s unique and random.

Hackers can do a lot of things with this data. They can take the email address and do phishing attacks against you, such as sending out an official-looking email purporting to be from Zappos asking you for your password, credit card number, and so forth. What they really hope for, though, is to get the plaintext password and see if it works on other sites. Even if passwords are hashed, they can sometimes be recovered, especially if they aren’t complex enough. And once they have that password, they’ll try to log onto banking sites, credit card sites, and anything else they can think of. Because so many people reuse their passwords, it sometimes works, and now that Zappos breach has drained your bank account.

A password managed (I use KeePass) stops this in two ways. First, it can generate very complex, random passwords. It is orders of magnitude harder to figure out a complex password from a hashed value than something like “password”. More importantly, though, even if they do somehow get the password, perhaps because the website has broken every security rule by storing the password in plain text, it’s unique. They may be able to log onto that website, but that’s it. The password is not shared with a banking website, or any other website.

Using a password manager is a bit of a chore. It’s somewhat cumbersome and inconvenient. However, the extra 30 seconds it takes to use a password manager is well worth the peace of mind I get from knowing that even if the password to a website I use once a year is compromised, the damage is limited only to that site.