eBay – a company that is entrusted with millions of people's personal data – is asking users to change their passwords in the wake of a cyber-attack that compromised encrypted passwords and other “non-financial” data. The online auction giant’s terse statement on the issue points to worrying security gaps inside the company, researchers told Infosecurity.
As far as the sequence of events, eBay said only that the attackers were able to compromise “a small number of employee log-in credentials,” allowing unauthorized access to its corporate network between late February and early March.
The company also said that these compromised employee log-in credentials were first detected about two weeks ago – three or so months later – after which the company said it conducted “extensive forensics”. It subsequently identified the compromised eBay database (which contains customers’ names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth), and today began notifying affected users. It didn’t say how many might be affected.
It said that financial and credit card/PayPal information was not affected, as it’s stored separately in encrypted formats.
Roger Thompson, chief emerging threats researcher at ICSA Labs, noted to Infosecurity that users should not be surprised by the hack itself.
“Security and functionality tend to exist in an inverse relationship. In other words, the more functional you make something, the less secure it tends to be, and big websites are highly functional,” he said. “Breaches are part of the fabric of the internet.”
He added, “Websites that don’t have multiple forms of authentication should be considered high-risk for these types of events" – like eBay.
But the lack of two-factor authentication for buyers and sellers is just the tip of the security oversight iceberg, according to researchers. Rik Ferguson, vice president of security at Trend Micro, penned an open letter to eBay (given to Infosecurity) laying out the issues inherent in eBay’s apparent approach to safeguarding data. For one, there’s the gap between compromise and detection: “Why has it taken an organization with the resources of eBay three months to notice that was being accessed inappropriately, not to mention exfiltrated? Where are the breach detection systems?”
And what of the method of data storage? The passwords were merely encrypted – a concern in and of itself, because password databases should use hashing instead, according to Brian Honan of BH Consulting, speaking to Infosecurity. But as George Anderson, director at Webroot, pointed out in a mail, “eBay did the bare minimum by encrypting the passwords, but all other information should have been treated as equally important, especially the date of birth – as it’s often used as a validation in other online areas – i.e. banking.”
Ferguson agreed, noting, “If all this sensitive data was stored in one single database, why was it not encrypted, In fact why would it not be encrypted even across multiple databases? I note with chagrin that ‘all PayPal financial information is encrypted’, still running a two-tier system?”
He added, “How was my password “encrypted”? I want details. I want to know which algorithm and how you salted it. I want to know the realistic chances of my password being brute-forced, so I can make an educated assessment of my level of exposure and offer practical advice to others.”
So far, there’s no evidence of the compromise resulting in unauthorized activity for eBay users, the company said, but researchers warned that because of the lack of immediate user notification, it may be too early to tell.
“It is worrying that an organization such as eBay was unable to detect such a breach for so long a period of time,” said Honan. “eBay has said it has seen no increase in fraudulent activity since the breach was discovered, but it would be interesting to see if the same can be said in the period of time when the breach occurred and when it was detected.”
Waiting over two weeks to inform its users of the cyber-attack may have irresponsibly put unsuspecting users in danger, according to Anderson, but is sadly not unique. “It’s disappointing,” he said. “However, eBay is certainly not the only organization who has left time between a breach and its public disclosure. In fact, such practice is becoming a worrying trend – a few weeks ago Orange France was criticized for doing the same.”
eBay also did not say whether a phishing initiative was the point of origin for the compromise of insiders’ information, but Chris Boyd, malware intelligence analyst at Malwarebytes, noted to Infosecurity that “this could be achieved as the result of a targeted ‘watering hole’ compromise or someone falling victim to spear phishing or a another form of social engineering. These types of attacks aim to get inside pre-identified targets such as companies and other high-value institutions.”
Regardless of the technique, better authentication practices could have mitigated any danger from employees falling for such ploys. “One would expect a company like eBay would employ secure log-in methods such as multi-factor authentication to protect such sensitive information and not rely solely on user ID and passwords,” Honan said. “In addition, one would have expected the activity for employee accounts would be closely monitored to detect any suspicious behavior.”
In the wake of the breach, users should change their eBay password, and, if they’ve utilized the same password on other sites, should change those passwords as well. Also, users should of course be looking out for spam and phishing scams targeting them in the wake of their email addresses being compromised.
“Users need to follow basic security measures like using only one password per site and investing in a password manager,” Thompson said. “Passwords by themselves aren’t relative as a security measure in today’s environment.”