Statement from Yubico CEO on Zappos.com Security Breach

“A security breach of the magnitude experienced by Zappos.com is a serious concern for any business that relies exclusively on Internet orders for sales,” said Stina Ehrensvard, CEO, Yubico, Palo Alto, California and Stockholm, Sweden, commenting on how hackers exposed 24 million client records in a security breach over the weekend.  “While it appears Zappos’ securely protected the database that housed credit card information, hardware security modules (HSMs) could have prevented the exposure of Zappos’ customer password data that were compromised from the organization’s servers in Kentucky.  The exposure of email addresses and password hashes of weak and duplicated passwords leaves customers exposed across potentially many sites.  The perception is HSM and related services are very expensive, but the cost and complexity for this needed technology has fallen dramatically to a few hundred dollars and the cost of not deploying it is very high as Zappos has shown.”

“Additionally, Zappos has reset and expired their customers passwords and is helping them choose new passwords.  We believe a better solution is the new breed of consumer-friendly one time passcode tokens that users can keep on their key chains to replace weak and duplicated passwords,” Ehrensvard continued.