> series: anatomy_of_a_breach —— part: 037 —— target: zappos —— accounts: 24,000,000 —— passwords: bcrypt_hashed<span class="cursor-blink">_</span>_
On 15 January 2012, Zappos — the Amazon-owned online shoe and clothing retailer — disclosed that attackers had penetrated its internal network in Kentucky and accessed a database containing the personal information of approximately 24 million customer accounts. The compromised data included names, email addresses, billing and shipping addresses, phone numbers, the last four digits of payment card numbers, and cryptographically hashed passwords.
What distinguished Zappos from the breaches we have examined throughout this series was not what was stolen — but what was protected and how the company responded. Zappos had stored passwords using bcrypt, a deliberately slow hashing algorithm designed to resist brute-force cracking. Full payment card numbers and CVVs were stored in a separate, uncompromised system. And the company's response — CEO Tony Hsieh's immediate email to all 24 million customers, forced password resets, and transparent communication — set a standard for breach response that many larger organisations have since failed to match.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping CallDespite the good practices in password storage and breach response, the breach itself indicated that Zappos' network security had gaps. The attackers gained access to a production database containing 24 million records — suggesting insufficient segmentation, inadequate access controls, or exploitable vulnerabilities in the network path to the database. A penetration test would have assessed whether the database was reachable from attacker-accessible network segments and whether access controls were effective.
The lesson of Zappos is twofold: implement the controls that limit damage when a breach occurs (strong hashing, data segregation, incident response plans), AND implement the controls that prevent the breach from happening in the first place (penetration testing, vulnerability scanning, Cyber Essentials certification, and continuous SOC monitoring). Defence in depth means preparing for both prevention and containment. For incident response planning, UK Cyber Defence helps organisations prepare before a breach occurs — not just respond after one.
Our <a href="/penetration-testing">penetration testing</a> prevents breaches. Our <a href="/penetration-testing/web-application">application testing</a> verifies password storage security. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects intrusions. And <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> helps you plan your response before you need it.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call