Popular online shoe retailer Zappos.com said late Sunday that hackers had accessed its network, stealing customer account information from as many as 24 million customers.
Credit card information was not stolen, company CEO Tony Hsieh said in a statement sent to users, but email addresses, billing and shipping addresses, phone numbers, the last four digits from credit cards -- and more -- may have been compromised.
"We were recently the victim of a cyberattack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky," reads a statement posted on the company's blog. "We are cooperating with law enforcement to undergo an exhaustive investigation."
The company stressed that credit cards were not affected, and that it has already reset the passwords for existing customers to prevent abuse of the stolen data.
But users could still be at risk, security experts warn.
"This event offers a teachable moment for almost anyone does online transactions," said Ira Victor, a computer forensics and information analyst with Data Clone Labs.
"Many online shoppers use the same password for multiple sites. This means the Amazon or Facebook password maybe the same as the banking password, and the password for workplace email."
"Cybercriminals know that password reuse is very common," Victor said.
A special page on the Zappos website has been created to facilitate password changes for users: www.zappos.com/passwordchange.
The company is well regarded for its customer service; Hsieh expressed concerns that the security breach might affect the time spent burnishing the company's image.
"We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident," he wrote.