The eBay Data Breach: What You Need To Know

Ads by Google

In what is one of the biggest breaches of user data yet, eBay has revealed that in March 2014 its servers were compromised. Other than confirming that staff accounts were co-opted and advising eBay account holders to change their passwords, it is revealing nothing else.

So, what should you do? Is changing your password enough, or should you go further? Perhaps your concerns extend to other eBay owned services, most notably PayPal?

eBay Explains What Happened

In a blog post headed “eBay Inc. To Ask eBay Users To Change Passwords” on Wednesday May 21st (following an earlier empty blog post that leaked the security breach, allowing several news outlets to get the jump on eBay) the auction giant announced that

“…it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data.”

The post goes on to explain how the company (oddly writing in the third person, indicating a lack of acceptance) has found no evidence that financial and credit card information has been compromised following the attack, which took place during “late February and early March”. Compromised information included “eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth.”

EBay insists that it is taking the matter seriously and is currently “Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.”

How Was Your eBay Data Compromised?

Having detected the security breach around two weeks ago, eBay made mention of “the compromised employee log-in credentials” which are to blame for the intrusion. A forensic investigation then “identified the compromised eBay database” where personal data – for every single eBay user – is stored.

Ads by Google

You may want to re-read that last paragraph.

OLYMPUS DIGITAL CAMERA

At this point, it is unclear exactly how the eBay employee accounts were compromised. One suggestion is that they may have fallen foul of a phishing attack, where a fake email was sent asking them to log in and reset their password on a convincing-looking website. An alternative – and these are but speculation as eBay has been forthcoming with little detail about this disgraceful affair – is that the breach was made possible by an internal attack. Could an employee have conducted this break in?

Also, consider the number of accounts: personal data of 145 million people has apparently been stolen. If this intrusion was the result of employee accounts being compromised, was there a single person who had access to all 145 million records?

The timeline, meanwhile, coincides with the Heartbleed storm. In April eBay reassured users:

1) Your eBay account is secure

2) Your eBay account details were not exposed in the past and remain secure

3) You do not need to take any additional action to safeguard your information

4) There is no need to change your password

Meanwhile the startup password changing service Passomatic reported that “all its partners have made the fix. Among them are eBay.”

Could Heartbleed have been the route into eBay? Or more embarrassingly, could the focus on the OpenSSL vulnerability turn out to have been a very costly distraction for the online auction house?

Dealing With The Security Breach

One of the most concerning aspects about this case is the timeline. It seems remarkable that eBay did not detect the breach sooner, something that may indicate a hacking operation of particular skill (equally, it could mean that eBay’s database security is not fit for purpose).

Following the announcement, eBay claimed that “users will be notified via email, site communications and other marketing channels to change their password”. However so far there have been no reports of emails being received, and only social networks issuing notices.

muo-ebay-data-breach-paypal

What you may not know about eBay, Inc. is that it not only owns the popular online auction site www.ebay.com and its international variants, it also owns PayPal.

The unapologetic, limited details releases by eBay do them no favours. While they claim that their other businesses are unaffected by this breach, the fact is that unless eBay prove that they know this for sure, there is no way that we can trust this assertion.

Being realistic, this is a security breach of cataclysmic proportions. The volume and depth of data stolen from accounts is unprecedented.

To make matters worse, phishing emails are now arriving in inboxes around the world as scammers attempt to cash in on the breach (although an unusual aspect to the case is that the data has not yet turned up either on the darker side of the Internet, leading to some uninformed speculation that the breach is little more than a PR exercise.)

muo-ebay-data-breach-no-warning

The screen cap above was taken on Wednesday, May 21st, the day news of the leak broke. No warnings or advice to be found!

Some other things that you should consider. As of January 2013 there were 112.3 million active users worldwide; 145 million records are said to have been stolen. This leaves the potential for around 30 million unused accounts to be hijacked – more than enough to destroy eBay’s internal ratings and trust system should the hackers so choose. Trust is key to eBay’s business model, and without it, its days could be numbered.

Then there’s the request for people to change their passwords. The site has already experienced performance issues following news of the breach as users flocked to eBay to begin changing passwords.

That’s if users can even find the change password option (hint: click the forgot your password? button to save time).

The Financial Data Question: Are Your Card Details Safe?

EBay insists that no financial or credit card data has been compromised, only usernames, passwords and email addresses.

This is an attempt at damage control, however, to minimize outrage.

Say you wanted to access your eBay card details, what would you do? Sign in, or course, with your username and password. While the card number will be largely obscured (save for the final four digits) there is potentially enough information here to give a hacker what they need, from card expiry date to confirmation of your card type, how often you’ve used it. This information is certainly sufficient to pick an individual out as a target, and if cross-referenced with other accounts, possibly more.

Remember, your online identity is basically a dataset of your physical identity. Each element – name, date of birth, address – is like a jigsaw. As more pieces are found, a bigger picture of who you are emerges.

What You Should Do To Protect Your Data?

eBay has stated that its businesses are all kept separate. The implication of this should be that PayPal data is kept completely isolated from eBay data.

However, as the company has been unclear about how the breach occurred and which employees were affected, there is no reason to take this comment seriously.

muo-ebay-data-breach-login

As such we recommend that you change both your eBay and PayPal passwords. Ensure that these are different, and are not the same as those used for any other online accounts. Furthermore, heed eBay’s advice and address other online accounts you have that used the same password. Our tips on creating a secure password should help you out here. You might also store these in a secure service or app such as LastPass.

In the USA, PayPal offers a two-factor authentication system using a small handheld tool to create a code. While it would seem that there is no similar system in place for eBay, you can in fact get your hands on one for the auction site after you’ve signed up for the PayPal device. The implementation and promotion of these tools has been poor, as you can see, but two-factor authentication is a must for any online service that stores any data about you.

Remember, this is your data that eBay is admitting to having lost. Your name, address, phone number, birthday… you can change your password, but you can’t change them.

This Breach Is Disastrous For eBay

As stated earlier, we believe that changing your passwords and adopting two-factor authentication (where available) for eBay and PayPal is the best course of action.

However, if we consider the lack of information about the breach, the possibility of an internal attack, the lack of data being put up for sale, the potential for 30 million zombie accounts destroying eBay’s seller trust rating and its inability to cope with password resets, there remains a question that has to be asked. Do you really want to be a member of a website that treats user data and security breaches in this way?

If you’re thinking “but eBay is the only decent auction site!” then you’re quite wrong, as there are plenty of alternatives that you should check out.

However, we would encourage you to give this matter serious thought. It might not save your stolen data, but enough people voting with their feet will give other companies cause to act responsibly in these situations in future.

Have you received an email from eBay? Did you change your password already? How do you feel about this breach?

Let us know your thoughts in the comments.

Image credit: PayPal/eBay stand by Janitors, eBay sign by Steve Arnold.

Ads by Google

11 Comments - Write a Comment

Reply

Chinmay S

Today itself I got an email from ebay but after reading a previous article on MakeUseOf , I changed my password on 22nd May.

Reply

Dmitriy T

I changed my ebay pass few days ago – seemingly not during the stampede, so now i wonder – did ebay took notice of that or they didn’t bother to notify users at all? Or just non-US users?

PS As for PayPal – i use one card (debit one) specifically for that, with no money on it until i need to buy something. Sometimes paranoia brings peace of mind :)

Christian C

I’ve since seen screenshots of small flag messages that seem to be a little random around the site.

EBay really needs to be doing more about this.

Reply

Evil Insert

You can comfortably multiply 145 million by at least 5. Many of the pass/email combinations will have been used across multiple sites. Also, every breach makes cracking new dumps easier than before. This is the worst so far, I think.

Christian C

Looks like my reply to Dmititry ended up in the wrong place!

Evil Insert: the worst yet? I think you’re absolutely right. Why else would eBay play down 145 million?

dragonmouth

“Why else would eBay play down 145 million?”
Because that is the way eBay deals with problems – they try to gloss over them.

Reply

Charity

And why did it take nearly THREE MONTHS to let us know?

dragonmouth

If I was a conspiracy theorist, I would say that the breach was an inside job and that someone ( a group of someones) was exploiting it during that time.

Reply

Evil Insert

This is part of the reason I’m strongly against any form of data clouding.

Reply

Christopher W

I managed to change my password early on the 22nd, but I was up very early that day.

I don’t fully buy the “inside job” theory yet, just for lack of evidence, but this doesn’t sound like the usual data breech. I don’t think the whole story is out, and I don’t just mean the stuff that isn’t released on the technical details of how it was done. I’m referring to the circumstances. There is at least one piece missing from this story.

If it was for nefarious purposes, I for one haven’t seen any great jump in the amount of spam I get. Or snail mail junk mail.

Another possibility: eBay employee was blackmailed.

Reply

Jon S

Hello, all.
Changed my eBay password May 21, or 22.
It was too difficult to locate the change option,
but I got’er done.
I’m wondering how useful is the instruction to change passwords regularly,
since we’ll need to change them again as soon as the site gets hacked anyway.
Two-factor authentication is supposedly the way to go,
but I’m unsure of the ‘usefulness’ of it,
since the sites seem to get hacked, and then we need to change the password again anyway.
Maybe we should all just change our passwords every 48 hours, just to be sure.

Have a GREAT day, Neighbors!
And change your passwords, *again*!

Your comment