This remains very much a fluid situation, but eBay has already had a long morning as it became the latest to admit it had been the target (pardon the double entendre) of hackers. It is also the latest in an increasingly long line of companies that have handled such issues, and the good news is despite a bumpy start, compared to Target the eBay response ranks as almost best practices.
PayPal takes a hit
Here is what has transpired so far.
Early this morning, after publication of a story that its corporate network had been compromised, the popular e-commerce site had some interactions with the widely read tech site CNET. In its timeline on the story, CNET says it was subsequently contacted by eBay who admitted they had “recently” been the victim of a cyberattack on the database containing eBay user passwords, but that there is "No evidence that any financial information was accessed or compromised."
As CNET also reported, this statement came after eBay-owned PayPal posted a blog "eBay, Inc. to Ask All eBay users to Change Passwords," which contained no information as to why and then pulled off the web but not before it had been circulated on social media.
Right now there is information on eBay’s official corporate blog on the hack. Interestingly, it does not change the advice to users to change their passwords. It does, however, offer more than the usual transparency when these things occur, saying:
Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.
The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.
The company said it has seen no indication of increased fraudulent account activity on eBay. The company also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.
It goes on to say that that: “Beginning later today, eBay users will be notified via email, site communications and other marketing channels to change their password. In addition to asking users to change their eBay password, the company said it also is encouraging any eBay user who utilized the same password on other sites to change those passwords, too.”
The latter falls into the category of, “OMG they get it!” Who would have thought a target like eBay would have been forthcoming with information on the day the attack was revealed? Yes, they did admit this has been going on for a while, but let’s at least give them credit on the notification side once the attack came to light.
Before I wax too enthusiastically about the response, here is a picture of the company Twitter feed as of roughly Noon EDT. Note that the last entry was several hours ago.
image via Twitter
In addition, you might be interested in what two security experts have to say about this latest compromising of a huge brand.
Roger Thompson, chief emerging threats researcher at ICSA Labs, a vendor-neutral testing and certification organization commented that: “This hack is not surprising. Security and functionality tend to exist in an inverse relationship. In other words, the more functional you make something, the less secure it tends to be, and big websites are highly functional. Breaches are part of the fabric of the Internet.” He added that, “Users need to follow basic security measures like using only one password per site and investing in a password manager. Passwords by themselves aren’t relative as a security measure in today’s environment. Websites that don’t have multiple forms of authentication should be considered high-risk for these types of events.”
Brendan Rizzo, Technical Director for Voltage Security, stated, “This breach highlights a need for companies to place tighter controls on how user credentials are stored and protected. If data is left unprotected, it's not a matter of if it will be compromised - it's a matter of when. While there is no doubt that eBay has top of the line security in place to guard against attacks, even the best security systems in the world cannot keep attackers away from sensitive data in all circumstances. The length of time it took eBay to discover this attack is evidence that attackers can still find a way to slip through a company's defenses undetected.”
Rizzo added this sobering thought, “If eBay had employed format-preserving encryption to protect the data itself, the attackers would have ended up with unusable encrypted data instead of the current outcome where users' personal information has now been exposed to an untold number cyber criminals.”
As this story continues to unfold, the best advice comes from eBay itself, i.e., change your password and do it now. Plus, as much as a pain as it is, don’t use the same password on multiple sites. I, like many of our readers, have my fingers crossed that eBay assurances that no financial data has been compromised are true. That said, the fact that hackers have enough information to create a fake ID they could use is bad enough. Hence, as with the recent Heartbleed Bug problem, today is going to be a day for changing passwords. This really is getting old.
SAM is a series of kits that integrates hardware and software with the Internet. Combining wireless building blocks composed of sensors and actors con…
Artificial intelligence is changing the way businesses interact with customers. Facebook's announcement this week is just another example of how this …
In the upcoming webinar "Apache Spark: The New Enterprise Backbone for ETL, Batch and Real-time Streaming," industry experts will offer details on clo…
In a stunning new report by Carbon Black, "Hacking, Escalating Attacks and The Role of Threat Hunting" the company revealed that 92% of UK companies s…
To make 5G possible, everything will change. The 5G network will involve new antennas and chipsets, new architectures, new KPIs, new vendors, cloud di…