Around 145 million user records were affected in the eBay breach in what could be the second biggest breach in history at a US company.
According to Reuters, the attackers copied ‘a large part’ of that database and this is the second biggest breach for a US company since the Adobe breach of around 152 million user accounts last October.
While eBay spokesperson Amanda Miller told Reuters that passwords were encrypted claimed that decryption would not be easy. Miller said that after the breach was discovered in early May and it was determined to have occurred in late February or early March, Miller said eBay “worked aggressively and as quickly as possible to insure accurate and thorough disclosure of the nature and extent of the compromise”.
eBay said that it had not seen any indication of increased fraudulent activity on its website and that there was no evidence that PayPal had been breached. Users were due to receive a notification from eBay to request them to change their password, and on Thursday morning, Devin Wenig, president of eBay Marketplaces, said it believed the encryption would keep passwords secure, but “we don’t want to take any chances”.
Wenig said: “We take security on eBay very seriously, and we want to ensure that you feel safe and secure buying and selling on eBay. So we think it’s the right thing to do to have you change your password. And we want to remind you that it’s a good idea to always use different passwords for different sites and accounts.
“Meanwhile, our team is committed to making eBay as safe and secure as possible. So we are looking at other ways to strengthen security on eBay. In the coming days and weeks we may be introducing new security features. We’ll keep you updated as we do.”
Commenting, Dr Guy Bunker, cyber security analyst at Clearswift, said: “The major concern with this cyber attack, on such a huge scale, is eBay’s failure to recognise the attack immediately, which led to the delay in informing its millions of customers. This implies an immense failure on eBay’s behalf to maintain control and protection of its users’ critical information.
“It is a company’s responsibility to understand where its critical information is 100 per cent of the time, who has access and how. While eBay has confirmed that no financial information has been breached, personal information have all fallen into the hands of the hackers. With such a delay in acknowledging the attack, the true extent of the data loss is not yet known and it’s imperative that further analysis is done before we can make any further assumptions.”
Since the announcement was made, there has been little information on how attackers got the employee login credentials. Sergio Galindo, general manager of the infrastructure business unit at GFI Software, said: “Reports so far suggest that the eBay hacking incident was at least in-part facilitated by lax employee data security. In reality this could be anything from weak and easily discoverable passwords, to exploitation of insecure network devices in order to breach a system without throwing up any red flags and with minimal effort and equipment.
“Alongside hackers tapping into unofficial Wi-Fi hotspots and running through the known default passwords for switches and routers, these are frequent occurrences at organisa
tions globally that not only damages customer confidence and brand value, but also cost money, time and productivity in the short term as the companies affected try to recover.”
eBay said that it shut down unauthorised access to its website and has put additional measures in place to enhance its security, as well as seeing no spike in fraudulent activity on the site.
Dwayne Melancon, CTO of Tripwire, said: “eBay users have long been a popular target for phishing emails, and users must be especially wary during incidents like this. To be safe, users should not click on links in emails about eBay security or password changes; instead, they should type the eBay URL directly into their browsers and log into the site that way to prevent disclosing their credentials to spoofed, malicious copies of the eBay site.”