eBay falls victim to cyber attack
Written by Deborah Ritchie
eBay has become the latest high profile victim to a cyber attack that compromised one of its databases.
Although the compromise happened a few months ago, it is thought that eBay, which has some 112 million users, did not identify the activity until much later. Security experts warn this data could be used to access the corresponding eBay accounts and generate fraudulent purchases or other activity.
“eBay is taking steps to protect these accounts from activity related to this particular breach going forward but for many the message to change their passwords on other sites where they are using the same password might not play out so well," said Troy Gill, senior security analyst at AppRiver. "Unfortunately, many people will not heed this warning and as a result the attackers will have a potential entry point to gain access to some other personal account which is utilising the same password. I strongly recommend that all eBay users change their eBay password as well as any other accounts utilising the same password. This is also a great time to re-visit and make sure you are using a strong (and different) passwords on all accounts.
“Any time an event like this occurs it opens the door for the eBay,paypal phishing campaigns to be much more effective, since many are familiar with the situation and might not realise the scam is not part of the actual eBay effort.
eBay has historically had a strong track record on security, having built a strong internal security team and by working closely with law enforcement. Michael Sutton, vice-president of security research, Zscaler says this only underlines how vulnerable all enterprises are to attack. “It remains to be seen how the breach occurred, but mention of a small number of employee accounts being compromised lends itself to a targeted attack,” Sutton says.
“It is concerning that the beach occurred some two months prior to discovery. Presumably, the stolen credentials had been used but internal controls failed to detect their use by third parties or potential data exfiltration. While encouraging to learn that all passwords were allegedly encrypted, the personal data that was accessed including customer names, phone numbers, physical addresses, email addresses and date of birth, would be beneficial to attackers conducting social engineering attacks against eBay users. Moreover, even with encrypted passwords in place, the fact that broad password changes are being requested illustrates that there is concern that the encrypted passwords will be brute forced. eBay users should not only change their eBay password but also passwords for any sites sharing the same authentication credentials."
One security expert suggests the company may not be doing enough to protect its customers, saying eBay should be warning customers more proactively.
“Many people have their eBay accounts linked to Paypal, bank accounts, credit cards or Bill me Later accounts. If eBay has lost usernames and passwords in a breach the attackers can post fake items for sale on eBay and then use stolen accounts to steal money from these account,” said Lamar Bailey, director, security R&D Tripwire. “eBay should be warning customers via email and on their home page but that has not happened yet.”
Other commentators are concerned the attack may have more far-reaching consequences. Says Toyin Adelakun, vice-president products for Sestus: "This appears to be more serious than a ”mere” password smash-and-grab. Rather, it seems eBay customers’ names, encrypted passwords, email addresses, physical addresses, ‘phone numbers and dates of birth were stolen. Passwords can and must be reset – especially if they’re reused elsewhere – but the other personal data cannot easily be reset.
"If eBay confirms that wider personal data has been stolen, users must maintain extreme vigilance of all financial statements and of their credit reference files.
"Generally, institutional, regulatory and legal responses to identity theft are immature and still under development, so personal responsibility needs to be the fore, for now."