Online shoe seller Zappos.com says a hacker may have accessed the personal information of up to 24 million customers.
Customers' credit card and payment information was not stolen, but names, phone numbers, email addresses, billing and shipping addresses, the last four digits from credit cards and more may have been accessed in the attack, according to an email that CEO Tony Hsieh sent on Sunday to employees.
Zappos is contacting customers by email and urging them to change their passwords.
Zappos said the hacker gained access to its internal network and systems through one of the company's servers in Kentucky. Zappos is based in Las Vegas. It is owned by Seattle-based Amazon.com Inc.
"We've spent over 12 years building our reputation, brand, and trust with our customers," Hsieh said in his email. "It's painful to see us take so many steps back due to a single incident. I suppose the one saving grace is that the database that stores our customers' critical credit card and other payment data was not affected or accessed."
Zappos.com information on password change for customers: http://www.zappos.com/passwordchange
CEO email and statement: http://blogs.zappos.com/securityemail