Zappos on Sunday confirmed that hackers breached the company’s servers and accessed personal data belonging to many of its customers. The Amazon-owned shoe retailer known for top-notch service and surprising customers with express shipping at no extra cost confirmed that personal data from 24 million accounts was accessed during a recent security breach. The hackers gained access to range of sensitive data including user names, encrypted passwords, customer names, email addresses, phone numbers and the last four digits of credit card numbers. The company stated that full credit card numbers were not compromised. As a security measure, Zappos reset the passwords of all affected customers and sent out emails alerting them to the situation. The company’s full email to customers follows below.

First, the bad news:

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

THE BETTER NEWS:

The database that stores your critical credit card and other payment data was NOT affected or accessed.

SECURITY PRECAUTIONS:

For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password.

We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.

PLEASE CREATE A NEW PASSWORD:

We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the “Create a New Password” link in the upper right corner of the web site and follow the steps from there.

We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at passwordchange@zappos.com.

Massachusetts Attorney General Martha Coakley recently said her iTunes account was compromised by identity thieves and that she will press Apple for answers. It is unclear how the thieves gained access to Coakley’s account, perhaps through an application, but the hackers stole credit card information and made fraudulent purchases, ThreatPost said. Coakley brought up the attack during a speech for the launch of the Massachusetts Advanced Cyber Security Center. She noted that Dell blocked her credit card when the hackers tried to purchase a computer, believing the purchase to be fraudulent. Apple, however, did not. Coakley said she would reach out to the iPhone maker and demand information. ThreatPost argued that Coakley might have been speaking so strongly in an effort to build support for Massachusetts’ state data privacy, data protection and data breach notification laws. Coakley believes companies such as Apple should be held liable when in violation of the aforementioned laws. The Massachusetts Attorney General’s office said any company that has had a breach which “creates a substantial risk of identity theft or fraud against a resident of the commonwealth,” should publicly disclose the attack.

Read

Following a major security breach earlier this year, Sony made good on its promise to bolster its security by hiring a former official from the U.S. Department of Homeland Security to serve as its chief information security officer and senior vice president, Reuters reported on Tuesday. Philip Reitinger formerly served as the director of the U.S. National Security Center. “Certainly the network issue was a catalyst for the appointment,” a Sony spokesman told Reuters. “We are looking to bolster our network security even further.” Sony’s online PlayStation and Qriocity networks were attacked in May when a hacker group known as LulzSec gained access to personal data belonging to more than 100 million users. A string of subsequent hacks on Sony’s digital properties made headlines for the better part of two months, and Sony’s PlayStation Network was not fully restored until July.

Read

A breach of Dutch SSL certificate authority DigiNotar is reportedly much bigger than initially thought, with more than 200 digital certificates having been stolen in July by hackers who breached the company’s network. Using the stolen certificates, hackers can potentially intercept and even alter data Internet users believe to be secure and encrypted. ”About 200 certificates were generated by the attackers,” Dutch security expert Hans Van de Looy told Computerworld, citing anonymous sources. Van de Looy says certificates for mozilla.com, yahoo.com and torproject.org were among those obtained by the hackers. Mozilla’s Johnathan Nightingale, director of Firefox development, confirmed the breach on Thursday. “DigiNotar informed us that they issued fraudulent certs for addons.mozilla.org in July, and revoked them within a few days of issue,” Nightingale said in a statement. BGR reported on Wednesday that the Iranian government has allegedly been using one of the stolen certificates to spy on Gmail users, and at that time the full extent of the DigiNotar breach was unknown. The compromised certificates have all revoked by DigiNotar, but not all Web browsers check for revoked certificates so the impact of this breach will likely be ongoing for some time.

Read

In response to the arrests of LulzSec member Topiary and Anonymous PayPal hackers, members of the AntiSec initiative have infiltrated 50 police departments across the United States and stolen 10GB of data. According to a release put out by the group, which includes members from Anonymous and LulzSec, the data includes “private police emails, training files, snitch info and personal info on retaliation for Anonymous arrests.” It also includes social security numbers, address information, passwords, credit card numbers, training files and more. “We hope that not only will dropping this info demonstrate the inherently corrupt nature of law enforcement using their own words, as well as result in possibly humiliation, firings, and possible charges against several officers, but that it will also disrupt and sabotage their ability to communicate and terrorize communities,” a recent press release said. The data was stored on a single server and the hackers said it took less than 24 hours to infiltrate and copy the information. In a release posted on PostBin, the AntiSec movement called on other hackers to join in and “make 2011 the year of leaks and revolutions.” The group also told the government to give up and said “you are losing the cyberwar, and the attacks against the governments, militaries, and corporations of the world will continue to escalate.”

[Via Gizmodo]

Read

An Arkansas man has been indicted for carrying out a cyberattack on AT&T servers that resulted in the theft of personal data from more than 100,000 iPad users. Andrew Auernheimer has been charged by a New Jersey grand jury with one count of conspiracy to gain unauthorized access to computers and one count of identity theft, Reuters reports. Auernheimer’s codefendant Daniel Spitler entered a guilty plea after being charged with the same crimes late last month. Court documents recount several conversations Auernheimer allegedly had surrounding the AT&T breach, and the evidence appears to be damning. “If we get 1 reporters address with this somehow we instantly have a story,” he wrote to Spitler on June 6, 2010, according to the indictment. “HI I STOLE YOUR EMAIL FROM AT&&T WANT TO KNOW HOW?” Auernheimer later continued, “The more email addresses we get … the more of a freakout we can cause.” Both Auernheimer and Spitler are said to be associated with “Goatse Security,” a hacker group reportedly focused on disrupting online content and services.

Read

Apple has promised to patch a security hole found in the iPhone and iPad following a report published by Germany’s Federal Office for Information Security. Reportedly, a PDF security hole could allow hackers to gain unauthorized access to personal data — such as messages and passwords — stored on an iPhone or iPad and could “infect the mobile device with malware without the user’s knowledge.” Apple’s PR team was quick to respond to the allegations. “[Apple is] aware of this reported issue and developing a fix that will be available to customers in an upcoming software update,” Bethan Lloyd, an Apple spokesperson told AFP on Thursday. Apple has not yet confirmed when it will push out the security update.

[Via Mobile Burn]

Read

Nearly two and a half months after its networks were breached by the hacker group LulzSec, Sony will finish restoring its PlayStation Network later this week when it reactivates the service in Japan. According to Bloomberg, Sony has been working with the FBI to identify the LulzSec hackers who were responsible for the attack on its San Diego data centers, during which the hackers obtained account information for more than 100 million PlayStation Network users. Reportedly, LulzSec rented and used servers from Amazon.com’s cloud service to facilitate the attack. Sony CEO Howard Stringer apologized after the attacks and offered a year of identity theft protection to those affected by the breach, as well as a free month of access to PSN.

Read

Notorious hacker collective “Anonymous Operations” on Sunday published data it claims to have obtained by breaching a server belonging to Apple. The data, which consisted of 27 usernames and passwords, was allegedly taken during from surveys stored on an Apple server. Though the group said on one of its Twitter accounts that it is “busy elsewhere,” and therefore will seemingly not be targeting Apple again in the near future, it claims to have exploited a security flaw common to several companies when it gained access to Apple’s server. Anonymous said the breach was part of its AntiSec movement, short for anti-security, which is aimed at “exposing corporate and government data and humiliating security firms.”

Read

The infamous group of “hacktivists” known as Anonymous Operations on Thursday launched a new tool to aid its digital crusade against targeted governments and corporations. Dubbed “HackerLeaks,” the new site is a tool hackers can use to distribute data anonymously, and it adopts the model popularized by WikiLeaks. Hacker groups like the now-defunct LulzSec used a variety of tools to disseminate the spoils of their cyberattacks, but Anonymous explains that their tool has a number of benefits. “Anonymous and the [People’s Liberation Front] have already established connections to the media outlets that can help better expose important data, and that they hope to also provide ‘unique and enlightening analysis,’” the group said in a statement. HackerLeaks it the latest addition to Anonymous’ movement known as “AntiSec,” which is aimed at “exposing corporate and government data and humiliating security firms.”

Read

The small group of hackers known as Lulz Security, or simply “LulzSec,” would never disband without one final round of fun. BGR reported on Monday that the group’s reign of terror was coming to an end after 50 lul-filled days. During that period of time, LulzSec released data stolen in a series of online breaches with targets ranging from Sony to the U.S. Government. In its coup de grâce, LulzSec released a stash of stolen data from a variety of targets, including AT&T, Disney and the U.S. Navy. But data obtained through online breaches wasn’t the only thing LulzSec stuffed into the file; a directory named “BootableUSB” also contained a variety of malware including trojans and worms. While “LulzSec” is no more and its notorious Twitter account now sits dormant, members of the well-known hacktivism group “Anonymous Operations” have confirmed that LulzSec is gone in name only — the six LulzSec members have been absorbed by Anonymous, according to the group’s official Twitter feed.

Read

A recent online security breach involving the left of 360,000 credit card numbers will cost Citigroup $2.7 million, the company confirmed to U.S. government officials on Monday. Hackers infiltrated Citigroup servers last month and stole account numbers and personal information associated with over 360,000 Citi-branded credit cards. According to Citigroup, personal information and card numbers from approximately 3,400 cardholders was subsequently used to make about $2.7 million in unauthorized purchases. Citigroup stated that affected customers would be reimbursed for the fraudulent charges. No arrests have been made in association with the breach.

Read

A hacker known as “The Jester” claims to have revealed the identity of a LulzSec member who may be the group’s leader. Thirty-year-old Xavier Kaotico, also known as Xavier de Leon or “sabu,” has been outed as the hacker prankster group’s leader, though his role and involvement with LulzSec has not been confirmed. The man allegedly lives or has recently lived in New York City, and is an independant IT consultant specializing in Python programming, Linux development, network security and exploit development. LulzSec, a small group of hackers that has become the focus of the international technology media over the past few weeks, has claimed responsibility for carrying out a number of malicious breaches. Recent LulzSec targets include websites belonging to Sony, Citigroup, the CIA and the U.S. Senate. After a public spat between the two high-profile hacker groups, LulzSec united with “Anonymous Operations” to wage a cyber war against the U.S. government, stating, “Sitting pretty on cargo bays full of corrupt booty, they think it’s acceptable to condition and enslave all vessels in sight. Our Lulz Lizard battle fleet is now declaring immediate and unremitting war on the freedom-snatching moderators of 2011.” LulzSec has not directly addressed the allegation that Kaotico is its leader, though it has posted messages to its Twitter account mocking The Jester, who calls himself a “Hacktivist for good. Obstructing the lines of communication for terrorists, sympathizers, fixers, facilitators, and other general bad guys.”

[Via th3j35t3r, LulzSec]

Read

Last year hackers made headlines when AT&T announced to a security breach that had allowed hackers to access the personal data from 114,000 iPad 3G users. On Thursday, 26-year old Daniel Spitler from San Francisco pleaded guilty to two crimes: conspiracy to gain unauthorized access to computers and identity theft. Spitler faces up to 10 years in prison — five years for each count, according to The Wall Street Journal. “Computer hackers are exacting an increasing toll on our society, damaging individuals and organizations to gain notoriety for themselves,” said U.S. Attorney Paul Fishman in New Jersey. “Daniel Spitler’s guilty plea is a timely reminder of the consequences of treating criminal activity as a competitive sport.” Fishman’s statements are clearly also aimed at other hackers; LulzSec and Anonymous, two hacking groups, recently announced that they have joined forces to attack the U.S. government. That’s in addition to recent hacks on Sony — which LulzSec took responsibility for — and Citigroup. Spitler will be sentenced on September 28th.

Read

There are numerous reports claiming that the leader of the now infamous hacking group LulzSec has been arrested in the United Kingdom. According to London’s Metropolitan Police, the shadowy leader was a 19-year old responsible for hacking “a number of international businesses and intelligence agencies.” The group took responsibility for Sony’s recent massive security breach and has also targeted a number of high-visibility websites, including that of the Central Intelligence Agency, and has waged war on the U.S. government with another group dubbed Anonymous. Despite the reports, however, LulzSec has denied that any of its members have been arrested. Early Tuesday morning the group tweeted: “Seems the glorious leader of LulzSec got arrested, it’s all over now… wait… we’re all still here! Which poor b****** did they take down?”

Read