{"id":629,"date":"2012-01-17T19:41:15","date_gmt":"2012-01-18T01:41:15","guid":{"rendered":"http:\/\/www.nathanhunstad.com\/blog\/?p=629"},"modified":"2012-01-17T19:44:18","modified_gmt":"2012-01-18T01:44:18","slug":"zappos-data-breach","status":"publish","type":"post","link":"https:\/\/www.nathanhunstad.com\/blog\/2012\/01\/zappos-data-breach\/","title":{"rendered":"Zappos Data Breach"},"content":{"rendered":"<p>Zappos.com recently had a <a href=\"http:\/\/www.securitynewsdaily.com\/zappos-data-breach-1498\/\" target=\"_blank\">data breach<\/a>. As data breaches go, it was not nearly as bad as it could has been: no full credit card numbers leaked, nor any plaintext passwords. What makes it special, then? It\u2019s somewhat special to me, since it is, to my knowledge, the first time that I have been part of a data breach: I have a Zappos.com account, and I received the email about the breach. Notice I said \u201cto my knowledge\u201d; plenty of data leaks don\u2019t get reported. I haven\u2019t been a part of a major one, though, at least according to <a href=\"https:\/\/pwnedlist.com\/\" target=\"_blank\">pwnedlist.com<\/a>, where you can check to see if your email address or username has been leaked.<\/p>\n<p><!--more--><\/p>\n<p>There are a few things still not known about the Zappos breach, such as how they were compromised and, more importantly, whether the password hashes (it\u2019s presumed that \u201cscrambled\u201d means hashed) were <a href=\"http:\/\/en.wikipedia.org\/wiki\/Salt_(cryptography)\" target=\"_blank\">salted<\/a>. Important questions, true, but I am not worried in the least. Why? Because I used a password manager, and so I don\u2019t care about the password being compromised. In fact, here\u2019s my old Zappos password: \u201cTaH8pcEloWsb8R1nrol2\u201d. It\u2019s useless now, because it\u2019s been changed, and more importantly, it\u2019s unique and random.<\/p>\n<p>Hackers can do a lot of things with this data. They can take the email address and do phishing attacks against you, such as sending out an official-looking email purporting to be from Zappos asking you for your password, credit card number, and so forth. What they really hope for, though, is to get the plaintext password and see if it works on other sites. Even if passwords are hashed, they can sometimes be recovered, especially if they aren\u2019t complex enough. And once they have that password, they\u2019ll try to log onto banking sites, credit card sites, and anything else they can think of. Because so many people reuse their passwords, it sometimes works, and now that Zappos breach has drained your bank account.<\/p>\n<p>A password managed (I use <a href=\"http:\/\/www.nathanhunstad.com\/blog\/2011\/02\/useful-computer-utilities-keepass\/\" target=\"_blank\">KeePass<\/a>) stops this in two ways. First, it can generate very complex, random passwords. It is orders of magnitude harder to figure out a complex password from a hashed value than something like \u201cpassword\u201d. More importantly, though, even if they do somehow get the password, perhaps because the website has broken every security rule by storing the password in plain text, it\u2019s unique. They may be able to log onto that website, but that\u2019s it. The password is not shared with a banking website, or any other website.<\/p>\n<p>Using a password manager is a bit of a chore. It\u2019s somewhat cumbersome and inconvenient. However, the extra 30 seconds it takes to use a password manager is well worth the peace of mind I get from knowing that even if the password to a website I use once a year is compromised, the damage is limited only to that site.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Zappos.com recently had a data breach. As data breaches go, it was not nearly as bad as it could has been: no full credit card numbers leaked, nor any plaintext passwords. What makes it special, then? It\u2019s somewhat special to me, since it is, to my knowledge, the first time that I have been part&hellip; <a class=\"more-link\" href=\"https:\/\/www.nathanhunstad.com\/blog\/2012\/01\/zappos-data-breach\/\">Continue reading <span class=\"screen-reader-text\">Zappos Data Breach<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[127],"tags":[199,76,198],"class_list":["post-629","post","type-post","status-publish","format-standard","hentry","category-security","tag-data-breach","tag-password","tag-zappos","entry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/629","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/comments?post=629"}],"version-history":[{"count":2,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/629\/revisions"}],"predecessor-version":[{"id":631,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/629\/revisions\/631"}],"wp:attachment":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/media?parent=629"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/categories?post=629"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/tags?post=629"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}