Zappos, the Amazon-owned shoe and apparel retailer, said more than 24 million of its customer accounts had been compromised.
Hackers were able to access Zappos customer's names, e-mail addresses, addresses, phone numbers, the last four digits of credit card numbers and cryptically scrambled passwords.
Zappos reset the passwords for all the affected accounts and is notifying customers now with instructions on how to create a new password.
"We've spent over 12 years building our reputation, brand, and trust with our customers," Zappos Chief Executive Tony Hsieh said in a note to employees. "It's painful to see us take so many steps back due to a single incident."
Zappos is based in Las Vegas and is owned by Seattle-based Amazon.com Inc.
Zappos customers may be able to tighten up their user account at the shoe retailer quickly, but the real danger lies in what other important Web accounts carry similar information.
Too many people use similar passwords for most of our online logins. It can be hard to juggle different passwords for dozens of accounts.
But the Zappos breach is a great example of how dangerous that can be.
Using the clues gleaned from Zappos accounts, hackers now may have enough clues to gain access to a user's e-mail or other important accounts.
So while Zappos passwords still may be relatively secure, all those other pieces of information can offer clues to a user's password. That information also can be used to answer a weak set of security questions correctly.
That's why giving the same password to something important like online banking and a one-off retailer purchase like Zappos is very dangerous.
A good tip: Create passwords that are nonsensical characters at websites that won't get daily use. If, say, you shop at Macys.com once a year, don't give that account a password similar to the important ones tied to daily destinations like e-mail or online banking.
It won't be a password you'll be able to remember, but when you have to log in next, just click the password reset button and have a link e-mailed to you.
Doing things this way means that all those accounts will always be as secure as your e-mail, which should be a password unlike any other.
You can't stay perfectly safe on the Web, but these tips should go a long way to keep you secure.
One thing is for sure: If you're a Zappos customer, secure that account now and change the password to any other sites that use a similar password.
