Internet auction website eBay has instructed users to change their passwords after it admitted to suffering an attack in February.
According to a statement published on its corporate website, company said it has no evidence of the compromise “after conducting extensive tests on its networks”, but there was no evidence that financial or credit card information had been accessed as this “is stored separately in encrypted formats”.
However, eBay’s 112 million users will be asked to change their passwords later today after attackers compromised a small number of employee login credentials, allowing unauthorised access to eBay’s corporate network.
This saw a database compromised and data including customers’ names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth. “However, the database did not contain financial information or other confidential personal information,” it said.
The compromise occurred in late February or early March, and it only detected that the compromised employee log-in credentials were used about two weeks ago.
In an email to IT Security Guru, security analyst Graham Cluley, said: “Even the biggest companies, protecting the valuable information of millions of innocent users worldwide, can fall foul of an attack. All it requires is for a hacker to capture a member of staff’s passwords (perhaps via phishing, or spyware, or the dubious practice of reusing passwords) for login credentials to fall into the wrong hands.
“One question that remains is whether these eBay employee accounts were protected with two factor authentication, which surely would have made it much harder for the hackers to make their way into the company’s network.
“Hopefully eBay will thoroughly re-examine its own security, and come out of this incident better protected in future. And other companies should remember – if this can happen to a company as big as eBay, it could happen to you.”
eBay has said it has seen no indication of increased fraudulent account activity on eBay, or any evidence of unauthorised access or compromises to personal or financial information for PayPal users. The statement said: “Information security and customer data protection are of paramount importance to eBay Inc., and eBay regrets any inconvenience or concern that this password reset may cause our customers. We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace.”
Ilia Kolochenko, CEO of High-Tech Bridge, told IT Security Guru that he felt that encryption was not always safe and that almost anything can be hacked. “The request to change passwords is a classic example of how we do not know if anything can be secure,” he said.
Troy Gill, senior security analyst at AppRiver, said: “Although the compromise happened a few months ago, it is possible that eBay did not identify the activity and sort out what data had been compromised until much later.
“I strongly recommend that all eBay users change their password as well as any other accounts utilising the same password. I also forgot to add that any time an event like this occurs it opens the door for the eBay and PayPal phishing campaigns to be much more effective, since many are familiar with the situation and might not realise the scam is not part of the actual eBay effort. This breach is a stark reminder that no organisati
on is immune to cyber attacks.”
TK Keanini, CTO at Lancope, said: “This is an unfortunate event but the reality is that all companies need to be ready for it to happen. Some companies are more ready than others. For example, eBay should programmatically force a reset of all passwords because just asking nicely will be ignored by too many. They also should offer a two-factor authentication method as other have done. All of these things help raise the cost to attackers.”
Michael Sutton, VP of security research at Zscaler, commented that eBay has historically had a strong track record on security, having built a strong internal security team and worked closely with law enforcement.
“This is further evidence, as though any was required, that all enterprises are vulnerable to attack,” he said.
“It remains to be seen how the breach occurred, but mention of a small number of employee accounts being compromised lends itself to a targeted attack. It is concerning that the beach occurred some two months prior to discovery, presumably, the stolen credentials had been used but internal controls failed to detect their use by third parties or potential data exfiltration.
“While encouraging to learn that all passwords were allegedly encrypted, the personal data that was accessed including customer names, phone numbers, physical addresses, email addresses and date of birth, would be beneficial to attackers conducting social engineering attacks against eBay users.”
Brian Honan, CEO of BH Consulting, called the breach “worrying”, especially as an organisation such as eBay was unable to detect such a breach for so long a period of time.
He said: “eBay said it has seen no increase in fraudulent activity since the breach was discovered, but it would be interesting to see if the same can be said in the period of time when the breach occurred and when it was detected.
“Also, it is concerning that the breach resulted due to the compromise of a small group of employee login credentials. One would expect a company like eBay would employ secure login methods such as multi-factor authentication to protect such sensitive information and not rely solely on user-id and passwords. In addition, one would have expected the activity for employee accounts would be closely monitored to detect any suspicious behaviour.”
Brendan Rizzo, technical director EMEA at Voltage Security, said: “This breach highlights a need for companies to place tighter controls on how user credentials are stored and protected. If data is left unprotected, it’s not a matter of ‘if’ it will be compromised – it’s a matter of ‘when’. While there is no doubt that eBay has top of the line security in place to guard against attacks, even the best security systems in the world cannot keep attackers away from sensitive data in all circumstances.
“The length of time it took eBay to discover this attack is evidence that attackers can still find a way to slip through a company’s defences undetected. When a company is storing sensitive information about their customers, the risk is to the data itself. Therefore, a company needs to assume that all other security measures may fail, and the data itself must be a primary focus for protection – usually via encryption. It is critical to note that this protection needs to include all potentially sensitive information and not just financial related data.
If eBay had employed format-preserving encryption to protect the data itself, the attackers would have ended up with unusable encrypted data instead of the current outcome where users’ personal information has now been exposed to an untold number cyber criminals.”
