A confirmed eBay leak: another password alert

The season seems to be open: The dust hasn’t yet settled after the Heartbleed semi-apocalyptic revelation, and now eBay has confirmed that its security had been badly breached, with service

The season seems to be open: The dust hasn’t yet settled after the Heartbleed semi-apocalyptic revelation, and now eBay has confirmed that its security had been badly breached, with service clients’ personal data leaked. The leak appears to be massive, since the perpetrators managed to steal credentials of the company’s workers and infiltrated eBay’s internal network. The company didn’t disclose how it happened, so there’s room for speculation. But they aren’t exactly relevant now.

Apparently the breach occurred some time ago, which is a bad news on its own. According to an eBay Inc. announcement, the incident took place “between late February and early March”, but had only been discovered last week; forensic experts had been called, and after the worst suspicions had been confirmed, the company made an announcement.

This means perpetrators had at least two and a half months to put their loot to use. The loot in question included “eBay customers’ name, encrypted password, email address, physical address, phone number, and date of birth.” Then comes the good news: The database did not contain any financial information or other confidential personal information. Even better: Passwords had been stored encrypted.

Still it doesn’t make them absolutely non-susceptible for the hackers. As Forbes’ James Lyne puts it“…imagine what the cyber criminals can achieve with their substantial botnets (large networks of computers running remote control code that can be tasked with anything the cyber criminal wants) and the benefit of time on their side”. Definitely they have some time already.

Besides, as it’s been said before, attackers have compromised “a small number of employees’ log-in credentials,” which allowed them unauthorized access to eBay’s corporate network. It’s possible hackers could also have helped themselves with encryption keys. That would expose client passwords without much effort. This, however, is unconfirmed by eBay so far and hopefully will stay that way.

More good news: Cyberattackers failed to get their hands on credit card data since it is stored separately (Well done, eBay). Also PayPal hasn’t been compromised either, or at least there is no evidence of that. “PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted,” company said in a statement. It also has no evidence that the stolen personal data had been abused. At least for now.

Still, it is strongly recommended to check and change all passwords ASAP, at least to eBay itself. Even if PayPal’s safe (unless you used the same password for both PayPal and eBay) one may feel ‘healthily paranoid’, and it definitely won’t cause any harm to change password there either.

Deploy all of your antiphishing tools (which you hopefully use already) and stay on alert. It’s clear that phishers are going to take their chances, and the avalanche of malicious e-mails exploiting the topic is coming very soon. Most likely they will be well-crafted, so extra security is paramount here.

If you are a business owner, your workers may need to hear (yet another?) lecture on safe browsing and working with e-mails, so that they don’t fall victim to something similar to what preceded the latest eBay breach.

eBay plans to send out notifications for their users – via email, site communications and other marketing channels – asking users to change their password. The company’s announcement ends with the following:

“In addition to asking users to change their eBay password, the company said it also is encouraging any eBay user who utilized the same password on other sites to change those passwords, too. The same password should never be used across multiple sites or accounts”.

A good point. Actually not recycling passwords (especially when it comes to money, etc) is an ABC of web security, something so essential that it’s often overlooked. Practice shows that extra reminders are always a good thing. And just like Heartbleed has brought society’s attention to problems of passwords, so does this eBay breach now.

Which is possibly the only positive outcome of this situation.