The popular online auction website announced today that its systems had been breached by attackers exposing “ eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth.” The press release reassures users that “the database did not contain financial information or other confidential personal information”
The breach appears to have happened sometime in February or March but was only discovered two weeks ago. It is worrying that an organisation such as Ebay was unable to detect such a breach for so long a period of time and that it took two weeks to notify affected users of the breach.
Ebay has said it has seen no increase in fraudulent activity since the breach was discovered but it would be interesting to see if the same can be said in the period of time when the breach occurred and when it was detected.
It is also concerning that the breach resulted due to the compromise of a small group of employee login credentials. One would expect a company like Ebay would employ secure log-in methods such as multi-factor authentication to protect such sensitive information and not rely solely on user-id and passwords. One would also have expected the activity for employee accounts would be closely monitored to detect any suspicious behavior.
Their statement also says the passwords were encrypted, this is a concern as password databases should not be encrypted but use hashing instead. I hope this is not the case and the term encryption was used simply to make the press release more understandable to non-technical people. The question does have to be asked though why was the other personal information not encrypted. Given that the data exposed is often used by other sites and services to verify who a user is, encrypting such information would have been a prudent security measure by Ebay to protect their customers’ personal data.
It will be interesting to see how the compromise happened but based on similar breaches in the past it would not surprise me if this was the result of a spear phishing attack against Ebay employees.
This breach is another good example to users as to why they need to ensure they employ different passwords across different websites to reduce the possibility that a breach in one site will lead to their accounts being compromised on other sites.
Ebay customers should be on alert for potential phishing attacks taking advantage of their leaked personal information or emails pretending to be from Ebay asking to reset their passwords.
What Can Companies Learn From This?
If you are storing sensitive data, encrypt it.
- Passwords should be hashed and not encrypted. See this excellent video from Javvad Malik to explain the difference
- Critical user accounts should be monitored for unusual behaviour which could indicate a compromise.
- Critical users accounts should be restricted to only access sensitive information from specific IP addresses to prevent unauthorised use.
- Critical user accounts should be restricted to log into sensitive systems during normal working hours for those users.
- Users working with sensitive information or in secure areas should be given regular security awareness training. Securing the Human is an excellent tool to help achieve this on a consistent and user friendly way.
Here is some coverage on the issue that I have commented on, including an interview with RTE’s main evening news TV program;
Researchers Blast eBay Over Data Breach – Infosecurity Magazine
eBay admits cyber attack was enabled via stolen employee logins – IT Security Guru
Ebay warns customers over data breach – RTE