In response to the news that Ebay has been hit by a cyber attack and that a database containing encrypted passwords has been compromised, Dwayne Melancon, CTO of Tripwire comments:
“Now that this information has leaked, I am quite surprised that eBay has been so slow to add information to their site to inform users of the situation and guide them through the password reset process. Customer confidence relies on directive, specific action and information in these scenarios.
It appears that the eBay data breach involved securely encrypted passwords, which makes it less likely that users’ eBay accounts will be easily accessed since doing so will require brute force decryption of passwords. However, the fact that user email addresses and physical addresses were taken in the breach is more concerning. Criminals could use that information to masquerade as eBay customers on other sites, or perhaps use that information to ‘social engineer’ their way to users’ other accounts. Unlike the passwords, the other user-specific information was not encrypted and therefore easily reused by attackers.
It is good practice to ask for a password reset, and users should probably be required to reset - not just asked. Furthermore, password complexity rules ought to be in place to ensure users select complex passwords. Of course, users should also make certain they are not using the same password they are using on another site.
Many eBay users also have their accounts connected to PayPal (which is owned by eBay) for payments. For further security, I recommend customers make use of PayPal’s optional feature which uses 2-factor authentication to verify the users’ identity prior to making a payment. Given that PayPal is linked directly to users’ bank accounts, this is a best practice even if there had not been a data breach at eBay.
eBay users have long been a popular target for phishing emails, and users must be especially wary during incidents like this. To be safe, users should not click on links in emails about eBay security or password changes; instead, they should type the eBay URL directly into their browsers and log into the site that way to prevent disclosing their credentials to spoofed, malicious copies of the eBay site.
eBay has confirmed that a database containing users' passwords was hacked back in late February and early March, however, it was only detected two weeks ago. The company is telling all users, today, to change their passwords.
From what we can tell, it has been able to narrow down the attack to a small number of employee login credentials stolen by cyber attackers. These details provided the attackers with access to eBay users' names, encrypted passwords, e-mail addresses, physical addresses, phone numbers, and dates of birth. The has company subsequently engaged in forensics activities to determine what database was compromised and what was stolen.
Commenting on the attack on eBay user data, Wieland Alge, IT security pioneer, inventor of one of the most robust corporate firewalls and VP and General Manager EMEA, Barracuda Networks said:
"There’s no point in overinvesting in state-of-the-art perimeter defences if a company can’tmitigate the risk that is left by own employees not to be fooled into leaving the door wide open for cyber criminals. Today, more than ever before, we have to operate in a Zero Trust Environment.
“Those responsible for IT security must trust no-one and nothing. Not even the fridge. Collective mistrust is no longer a sign of paranoia but has become a guiding principle of IT. Every application and every piece of hardware can now be hacked so IT security has to mistrust everything and everyone. Not customers, not governments and especially not employees. They hold the key to so much and the stakes are so high.
As such, the basic framework of the Zero Trust Environment is clear: Critical infrastructures must be protected against other IT components and users by additional, intelligent security gates. Each query must be checked, each suspicious act prevented and investigated immediately. There’s no excuse for complacency or delay."
As such, the basic framework of the Zero Trust Environment is clear: Critical infrastructures must be protected against other IT components and users by additional, intelligent security gates. Each query must be checked, each suspicious act prevented and investigated immediately. There’s no excuse for complacency or delay."
eBay’s 112 million users will be asked to change their passwords later today after attackers compromised a small number of employee login credentials, allowing unauthorised access to eBay's corporate network. Commenting and giving his advice on what we can do, Toyin Adelakun, VP of Products for Sestus said:
"This appears to be more serious than a ”mere” password smash-and-grab. Rather, it seems eBay customers’ names, encrypted passwords, email addresses, physical addresses, ‘phone numbers and dates of birth were stolen. Passwords can and must be reset—especially if they’re reused elsewhere—but the other personal data cannot easily be reset.
If eBay confirms that wider personal data has been stolen, users must maintain extreme vigilance of all financial statements and of their credit reference files. Users with reason to suspect their identities have been stolen can contact the fraud prevention service CIFAS (in the UK - equivalents elsewhere), and consider asking it to put a ‘protective registration’ on credit reference file. This service costs about £20 (about US$30) and alerts lenders to conduct further checks before approving credit applications. The erstwhile silver bullet of “identity theft insurance” has become somewhat deprecated over the last few years, but users considering such protection should satisfy themselves that such policies definitely offer adequate protection against actual losses.
Generally, institutional, regulatory and legal responses to identity theft are immature and still under development, so personal responsibility needs to be the fore, for now."