Hey Zappos customers! As you may have heard already, a serious flaw called
Heartbleed was disclosed on Monday, April 7th in a popular encryption
software named OpenSSL. Our awesome systems and security team had our
systems patched that afternoon. But since then we have received some calls
and emails about this issue and we want to help clarify a few things.
What is it?
You know that lock you normally look for or "https:" on websites to check
if your information is protected through encryption? Well a lot of
websites use OpenSSL to enable that functionality. The flaw allows an
attacker (bad guys) a way to circumvent the encryption. If that happened
there would be a possibility of seeing usernames, passwords, and other
What did we do?
Our systems and security teams patched the vulnerability on Monday
afternoon, shortly after the vulnerability was announced and the patch
came out. And as an added precaution, we've reissued our certificates on
the site. We've reviewed our systems and have found no indications of
malicious activity. We also want you all to know that we rely on a number
of tools to ensure your accounts are protected outside of OpenSSL and
we'll continue to monitor your accounts to ensure they stay safe.
How to verify what we've told you:
Some of our wonderful customers have been struggling to understand how to
determine if we are still vulnerable. And some have said they still see us
as being reported as 'likely' vulnerable on some sites. This is due to the
test being performed against our primary domain name 'www.zappos.com'.
However, the part of the site that uses OpenSSL and contains the sensitive
data is 'secure-www.zappos.com'. When you login, check your account, and
purchase/checkout our awesome products, these actions are only performed
on that secure domain. Therefore, that's the site you have to check.
As you can see, the secure portion of Zappos.com is properly protected
against the Heartbleed issue on these two sites:
If you would like to read more of the technical details of the
vulnerability, please visit this website: www.heartbleed.com
If you have any other questions, please contact us anytime, 24/7!
(Zappos Information Security Officer)