eBay reacts to breach

News by Tony Morbin

Users told to change passwords following database hack at eBay

Today online commercial giant eBay asked all its customers to change their passwords following a successful attack by hackers – meaning sending messages to some 145 million active buyers.  eBay spokesperson Kari Ramirez told SCMagazineUK.com, that the attack on the company's corporate information network had, “compromised a database containing eBay user passwords.” But added,  “There is no evidence that any financial information was accessed or compromised; however we are taking every precaution to protect our customers.”

Ramirez also said that there is no evidence of unauthorised access or compromises to personal or financial information for PayPal users as all PayPal financial information is encrypted and stored separately on a secure network.

The fact that the compromised database did not contain financial information does provide some reassurance, commented Mark Skilton, Warwick Business School Professor of Practice, talking to SC, adding, however, that the request to change passwords is an inadequate response to such a security breach.

“You've got to look at their Privacy, Confidentiality, Security and Trust (PCST) strategy.  It's good that they are using the PayPal infrastructure for finance which means trust is high. Confidentiality and Privacy is slightly weak and given that the breach reportedly happened months ago (and was discovered two weeks ago), we should have seen steps in place to prevent a repetition communicated to customers within days.”  

Tyler Shields, mobile security, and strategy analyst at Forrester Research, also condemned the slow response in an email to SC, saying:  "It's concerning how long it took eBay to find the attackers. From late February and March to just about two weeks ago is a LOT of time for an attacker to be roaming around your network and systems, “ adding, “Focusing on the encryption piece is not that important. Encryption of passwords is relatively trivial to crack given cloud computing and pre-computation of hashes. For dedicated hackers, it'll be about as hard as it can be but it's still not going to be a problem to break through." 

Trey Ford, global security strategist at Rapid7, was more sympathetic to eBay's predicament when he addressed the same issue in an email to journalists, commenting:  “The public does not yet know how and when the event was discovered – and most details are not generally shared publicly. Organisations are under considerable pressure to disclose a breach quickly. I think this pressure complicates the already considerable challenge of confidently drawing a box around what was compromised, and confirming the attacker's access and influence has been eliminated, making sure they will not return.

David Emm, senior security researcher at Kaspersky Lab commenting to reporters by email, agreed that the fact that this attack took place months ago means the attackers have had additional time with which to attempt to decrypt the stolen passwords as well as make use of the other personal data. “While it might seem as though eBay has been slow to respond, if the company has only just discovered the full extent of the attack it is now doing the right thing by notifying customers in a timely manner. The time lapse here highlights the urgency for customers to change not only their eBay and PayPal passwords but also on any other site that they use the same log-in details for.”

However, Skilton's main criticism was in relation to Security.  “They've not done enough. Just changing a password is weak. The core issue appears to be the internal theft of employee accounts that were then used to access the customer account passwords and address date. This should have been picked up in having proper secure domain monitoring and reporting of anyone accessing sensitive customer data.  Advice to change passwords is after the "horse has bolted".      

“They need to review their strategy to monitor both external and internal access to key data such that there is earlier warning of potential breaches.  Even though eBay may not have been affected by high profile DDoS attacks like the Heartbleed bug, demanding absolute confidence that security is in place - this breach demonstrates that their security infrastructure is not strong enough, and not what you would expect from such a major digital brand.”

Phil Barnett, VP of Global Accounts at Good Technology  agreed saying in an email to SC, “Every organisation must have technical safeguards and formal IT policies in place that protect sensitive corporate information and avoid situations like this. The secret is in securing data, and not just the particular device it has been accessed on. It's all about understanding and protecting access points. The better visibility and control that a company has over all of its external access point, the better it can protect against attacks such as these”. 

A small number of employee log-in credentials were apparently compromised, allowing unauthorised access to eBay's corporate network.  A company statement on eBay's website says, "The database... included eBay customers' name, encrypted password, email address, physical address, phone number and date of birth," according to a company site posting, but it did not contain financial information or other confidential personal information.

Ford summarised the main issues:  “Two concerns stand out: Passwords will eventually be decrypted, and attackers will now have access to data, making it easier for them to sound legitimate. Users should be wary of anyone contacting them claiming to be eBay or any other company for that matter. Expect an uptick in phishing, do not click on links in emails, or discuss anything over the phone. Call customer service instead or go directly to websites as you normally would.”

Brian Spector, CEO, CertiVox, adds, “the underlying issue is that the username and password system is old technology that is not up to the standard required to secure the deep information and private services that we as individuals store and access online today.

“This incident is just the latest in a long line of attacks that highlight the need for the wider technology industry to take another look at the methods that they employ to secure services and data. The way that consumers operate online – often using the same password for multiple accounts – means that the risks posed by data losses can be extremely wide ranging.”

For Matt Middleton-Leal, regional director, UK & I at CyberArk, the issue was one of user privileges, as he said in an email to journalists:  “The very fact that just a ‘small number' of compromised accounts has resulted in such significant access to eBay's corporate network is extremely concerning.  Clearly, there has not been enough attention paid to protecting privileged access accounts, where one small human error or mistake can cause an enterprise-wide security breach. 

“These powerful accounts hold the proverbial ‘keys to the kingdom'.  As evident here, they have access to vast stores of information, data and control within the organisations' digital depositories and, as a result, are the primary target for any hacker who is on the ball.  Worryingly, once access has been secured, the extent of access means that maximum havoc can be wreaked. Protecting privileged accounts should be top priority for any business, not least because perimeter security is clearly failing.“

eBay is reported to be aggressively investigating the matter in cooperation with law enforcement agencies, security experts and use of forensics. Advice is also being issued not to use the same password across multiple sites or accounts – and to change those too if you have used the same password.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews