Cyber Incident Victim: Zazzle

In June 2017, Zazzle detected unauthorized login attempts targeting customer accounts on its online marketplace platform. Attackers employed brute-force techniques using username and password combinations obtained from an undisclosed third-party data breach unrelated to Zazzle's systems. The company confirmed that threat actors systematically tested these stolen credentials against Zazzle accounts throughout the month, successfully gaining access to thousands of user accounts. Bobby Beaver, Zazzle's Chief Technology Officer, characterized the compromised accounts as representing "a small percentage" of total users but did not disclose specific figures beyond confirming "thousands" were affected. The company maintained that its own infrastructure remained secure throughout the incident, with no evidence of direct system breaches or database compromises.

Zazzle initiated a coordinated response beginning with forced password resets for all impacted accounts, requiring users to establish new credentials upon their next login attempt. The password reset process incorporated email verification through security tokens sent to registered addresses, a measure designed to prevent unauthorized password changes unless attackers also controlled the associated email accounts. Concurrently, Zazzle implemented a CAPTCHA system on its login page to deter automated credential-stuffing attacks. Company officials stated they were actively evaluating additional security enhancements to prevent similar incidents, though no specific future safeguards were detailed. The incident highlighted risks associated with credential reuse across multiple online services, as the compromise originated entirely from external credential sources rather than vulnerabilities within Zazzle's environment.