People woke up today to news of another data breach affecting a major company. This time it’s EBay and if you’re an EBay customer you need to take action right away.
If you’re making a list of high profile data breaches, you now have a new name to add to that list; eBay. In a posting in the “in the news” section of their web site eBay clarified to some extent the scale of the breach, although even the headline seems incapable of telling it like it is.
Hackers gained unauthorized access to a database that included eBay customers’ names, home addresses, dates of birth and encrypted passwords. eBay said that financial information like credit card numbers were stored separately and were not compromised. Encouragingly, the company said it has seen no fraudulent activity as a result of the hack.
The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth.
Although investigations are of course still ongoing, the current posting indicates that eBay are relatively sure that unauthorised access was only to one database, or certainly the wording of the article presents that view. For now, if you’re an eBay user, you need to change your password there and if you used that password on any other web site, you’re going to need to change it there too. Unfortunately changing your name or address is not so easy, that’ll have to stay compromised.
“If you’re an eBay customer, what this means first and foremost is that you should change your password right away. With the ongoing spate of data breaches like this, it’s all the more important to try and use unique passwords for each site. This is where a password manager tool like Trend Micro’s DirectPass can help.
Beyond changing your password, this incident shows again why you may want to look into real time identity theft monitoring as well. Unlike other data breaches we’ve seen, this one includes physical address, telephone number and date of birth, all of which can make it easier for criminals to steal your identity. Just changing your password won’t protect you against this threat,” Dhanya Thakkar, Managing Director, India & SEA, Trend Micro.
Some questions for eBay from Trend Micro
1 – If all this sensitive data was stored in one single database, why was it not encrypted, In fact why would it not be encrypted even across multiple databases? It is noted with chagrin that “all PayPal financial information is encrypted“, still running a two-tier system?
2 – If you’re going to tell that it was encrypted, but the attacker got access to stolen database credentials, why was there no two-factor authentication to access these crown jewels?
3 – Why did it only take compromised credentials to gain access to the corporate network? Again, where’s the multi-factor?
4 – Why has it taken an organisation with the resources of eBay three months to notice that data was being accessed inappropriately not to mention exfiltrated? Where are the breach detection systems?
5 – How was my password “encrypted”? We want details. We want to know which algorithm and how you salted it. We want to know the realistic chances of my password being brute-forced, so we can make an educated assessment of my level of exposure and offer practical advice to others.
Bonus question for extra points
How were the initial accounts compromised and what are you going to do to make sure this doesn’t happen again?
Effective security is no longer about designing architecture with the aim of keeping the attacker out permanently, that’s a pipe dream. If they want to get in, they will get in. Effective security is about accepting the reality of compromise, putting systems and processes in place that mean you discover and react in a timely fashion and crucially that you will make it extremely difficult for the attacker to leave with what they came for. How did you score?
Sensitive data especially that, which you hold in trust, should always be encrypted, no exceptions!
Cyberattacks can have a chilling effect on online customers, who must trust retailers with sensitive financial information to do business. It’s generally good password hygiene not to use the same password on different websites. But for eBay customers who have doubled up, the company is recommending you change your password on both eBay and all other sites where that same password was used.