Why you need to change your eBay password: eBay Inc has in the last few hours have confirmed in an announcement that they have been compromised and that users will need to take action to protect themselves. The compromise, which took place sometime between late February and early March allowed the attackers access to customers names, e-mail addresses, encrypted passwords, e-mail addresses, postal addresses, phone numbers and date of births. In other words sufficient data to potentially cause havoc on your online and offline life . The cyber criminals were able to compromise eBay through the theft of employee credentials (they did not confirm, though it seems likely the standard phishing method that has been implicated in other attacks like this lately was used) which then provided access to the corporate network. eBay Inc were quick to reinforce that the passwords that were stolen were encrypted though they have yet to provide any technical details on the implementation. Many providers when compromised are forced to admit that they stored plain text passwords , but even when hashing or encryption is used that doesn’t necessarily mean your password is safe. For example, if the passwords were encrypted but the keys were stolen by the attackers (who persisted in the network for some period of time) then the encryption is worthless. Equally, if the passwords are encrypted or hashed in a substandard way then attackers could potentially break the security and reveal the original text. This happened to Adobe only months ago. When LinkedIn lost >5M password hashes over 60% of them were broken within two days of the breach . In my role as a security researcher and tester I’ve often fired up cracking tools and a single laptop to hunt password hashes (with permission and I should add with great success) but imagine what the cyber criminals can achieve with their substantial botnets (large networks of computers running remote control code that can be tasked with anything the cyber criminal wants) and the benefit of time on their side. For every moment that you do not change your password you are racing the vast computing power of a criminal gang and time itself. In short, it is undoubtedly best to assume that your password has been compromised, to check over your account for any strange signs and then change your password as quickly as possible. At least eBay are not in the category of flat our negligent in storing plaintext passwords as other provides have been of late. If you need tips on password security take a look at my article here. eBay will shortly begin notifying customers that they need to change their passwords but it is undoubtedly best to get ahead of the curve and be on the safe side — particularly as eBay often has access to payment or personal information or if you share your password with lots of other websites. On that topic, eBay was quick to reinforce that the breach does not impact PayPal or any of the financial information held there. Or to use the specific phrasing “it has no evidence of of personal or financial information at PayPal being accessed” which means as the investigation continues they may find the attacker gained access to more than they thought – this would not be a first in such attacks. They also highlighted that as yet (in co-ordination with law enforcement) they have not seen any indication of fraud being conducted on their systems. I should note that both PayPal and eBay have had a few interesting security best practice challenges over the years. PayPal even today for example will not allow you to set a password longer than 20 characters (which, if you read my password best practice article you will know is a ridiculous limitation when a password manager could manage a really nice long secure password for you) and implemented two factor authentication (which is a good thing!) but has allowed users to trivially bypass it with a few clicks. All of that said, in this case eBay appear to have turned around the incident management and forensics quickly and are disclosing the need to act and communicating with customers. I for one hope this is followed by a more detailed root cause analysis and steps to remedy. eBay Inc have come to the press with this announcement now after an extended period of forensics though it is likely investigations will continue for some time and additional information will come to light. Keep your eyes poised for more eBay updates on the topic and this just serves as another reminder of the importance of not recycling passwords across websites. Simple security best practices help you prepare for when things inevitably go wrong, like for eBay today.
Posted on: Wed, 21 May 2014 23:00:57 +0000
Trending Topics
Recently Viewed Topics
© 2015