Blog

EBAY’s Data Compromised – A Trend in Penetration Continues

Trend in Penetration

The year 2014  started with series of attacks including AOL (Email scam), University of Virginia (1 Million files leak), Twitter (Hit by series of avalanche attacks), Theft of 18 million accounts and passwords including major ISP’s in Germany, HeartBleed breaking the myth of “SSL is safe heaven” and many more.

The new in the series is the largest online market place for auctions, eBay.com, becoming a new victim of cyber attacks. Founded in 1995 in San Jose, Calif., eBay Inc. connects millions of buyers and sellers and enabled $205 billion* of commerce volume in 2013.

Insights:

This time, the breach is said to have taken place when hackers somehow able to get log-in credentials of some of the employees, which granted access to eBay’s corporate network and enabled the hackers to access database of millions of users.

eBay-owned PayPal posted a blog entitled “eBay, Inc. to Ask All eBay users to Change Passwords.” which was retweeted hundreds of times in a day bringing burst of users to the web and bringing it down, hence causing more confusion. The database was compromised in end February and early March, which includes eBay customers’ name, encrypted passwords, email address, physical address etc. However it does not include the  financial information.

eBay has claimed, that there is no indication of fraudulent activity at the moment and no evidence of unauthorized access or any compromise is found at the moment. However eBay has taken the hack seriously and are working extensively with Forensic authorities to trace the leaks.

Based on the trends this year can easily be claimed as theyear of hacks, and more security espionage will be seen in coming months. The aftereffects of such a compromise are devastating,  not only to the organization but its customers as well. The data holds importance for the competitors. The worst part is that many of the users / companies will not even know that they are hacked,leavingbehind a constant gap and continuous leakage. Creating security awareness among employees should be made a mandatory practice to avoid possible exploitations. Hackers need just one username and password to step into any system and then cracking their way further in and taking what they need is just like peanuts. Security policies and procedures play an important role and should be properly implemented and checked.

eBay Passwords for sale:

Interestingly, that non-financial data seemed really juicy for the potential buyers and the hacker has already put it on sale on pastebin. Being a seller he has currently posted data of 12,663 users from APAC region, which includes username, hashed passwords, email addresses etc. He is offering a full copy of the 145,312,663 usernames, passwords, postal addresses and date of births from eBay.In return he is asking for $770 in Bitcoin currency.

What YOU SHOULD do being an end user:

Even if you are not notified by eBay still you should change your Password immediately on eBay and all other sites, which are using the same password. Also  avoid using the last five passwords that you have used. It’s better to keep different password for different sites or else use password generation applications to set up complex passwords and remember them for you. Sites, which are offering dual factor authentication, should be activated. Avoid using financial sites on public places, like Fast food restaurants, Airports etc where you are using a public WiFi.

Alan Woodward, an expert on security has shared some tips on being secure:

  • Don’t choose a password obviously associated with you:

    Hackers can find out a lot about you from social media so if they are targeting you specifically and you choose, say, your pet’s name you’re in trouble.

  • Choose words that don’t appear in a dictionary:

    Hackers can precalculate the encrypted forms of whole dictionaries and easily reverse engineer your password.

  • Use a mixture of unusual characters:

    You can use a word or phrase that you can easily remember but where characters are substituted, eg, Myd0gha2B1g3ars!

  • Have different passwords for different sites and systems:

    If hackers compromise one system you do not want them having the key to unlock all your other accounts.

  • Keep them safely:

    With multiple passwords it is tempting to write them down and carry them around with you. Better to use some form of secure password vault on your phone.