In an email letter sent Sunday, CEO Tony Hsieh advised users to change their passwords after intruders gained access to parts of the company's internal network through one of its servers in Kentucky. He did not indicate when or how the incursion occurred or when it was detected.
Investigators believe the hackers harvested names, email addresses, billing and shipping addresses, phone numbers and the last four digits of credit card numbers.
Because the hackers stole hashes for customer accounts, which could make passwords decipherable, all access codes to the website were reset, meaning customers must create new credentials. Customers are advised to visit the Zappos site, click on the "Create a New Password" link and follow steps from there.
However, in what he deemed "the good news," Hsieh said the company's database, which stores credit card and other payment data, was not compromised.
An "exhaustive investigation" is under way with law enforcement, Hsieh wrote in the email.
Expecting a flurry of phone calls from customers, the company has shut down its phone system. In an email to Zappos employees on Sunday, Hsieh explained the phone systems would not be capable of handling the expected volume of calls.
Support is available through email and Twitter. The website is currently operating normally, but there is no announcement of the breach on the site's home page.
Further complicating the danger to customers, the criminals behind the intrusion may be able to use the information they stole to either login to victims' other online accounts -- if they share credentials across sites – or to craft spear phishing attacks that could yield even more sensitive information, IT security experts said.
"By itself, it appears the criminals didn't get anything to drain bank accounts," Jon Gossels, president of SystemExperts, a network security consulting firm, told SCMagazine.com on Monday.
However, he said they did obtain enough data to launch automated and customized phishing attacks that will look more legitimate than generic spam.
Zappos must analyze how the attack was perpetrated and determine which control was deficient, then begin a clean-up, Gossels said.
The merchant advised customers to change passwords to any other sites for which they used the same password.
A company spokeswoman declined to comment further when contacted by SCMagazine.com.
Zappos was founded by Nick Swinmurn in 1999 and that year received a $500,000 infusion from Tony Hsieh and Alfred Lin's investment firm Venture Frogs. A year later, Hsieh took the reins as co-CEO with Swinmurn.
Amazon acquired Zappos in July 2009 for $1.2 billion. Fortune named it No. 6 on its list of “Best Companies to Work For” in 2011.