In what is one of the biggest breaches of user data yet, eBay has revealed that in March 2014 its servers were compromised. Other than confirming that staff accounts were co-opted and advising eBay account holders to change their passwords, it is revealing nothing else.
So, what should you do? Is changing your password enough, or should you go further? Perhaps your concerns extend to other eBay owned services, most notably PayPal?
eBay Explains What Happened
In a blog post headed “eBay Inc. To Ask eBay Users To Change Passwords” on Wednesday May 21st (following an earlier empty blog post that leaked the security breach, allowing several news outlets to get the jump on eBay) the auction giant announced that
“…it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data.”
The post goes on to explain how the company (oddly writing in the third person, indicating a lack of acceptance) has found no evidence that financial and credit card information has been compromised following the attack, which took place during “late February and early March”. Compromised information included “eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth.”
EBay insists that it is taking the matter seriously and is currently “Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.”
How Was Your eBay Data Compromised?
Having detected the security breach around two weeks ago, eBay made mention of “the compromised employee log-in credentials” which are to blame for the intrusion. A forensic investigation then “identified the compromised eBay database” where personal data – for every single eBay user – is stored.
You may want to re-read that last paragraph.
At this point, it is unclear exactly how the eBay employee accounts were compromised. One suggestion is that they may have fallen foul of a phishing attack, where a fake email was sent asking them to log in and reset their password on a convincing-looking website. An alternative – and these are but speculation as eBay has been forthcoming with little detail about this disgraceful affair – is that the breach was made possible by an internal attack. Could an employee have conducted this break in?
Also, consider the number of accounts: personal data of 145 million people has apparently been stolen. If this intrusion was the result of employee accounts being compromised, was there a single person who had access to all 145 million records?
The timeline, meanwhile, coincides with the Heartbleed storm. In April eBay reassured users:
1) Your eBay account is secure
2) Your eBay account details were not exposed in the past and remain secure
3) You do not need to take any additional action to safeguard your information
4) There is no need to change your password
Meanwhile the startup password changing service Passomatic reported that “all its partners have made the fix. Among them are eBay.”
Could Heartbleed have been the route into eBay? Or more embarrassingly, could the focus on the OpenSSL vulnerability turn out to have been a very costly distraction for the online auction house?
Dealing With The Security Breach
One of the most concerning aspects about this case is the timeline. It seems remarkable that eBay did not detect the breach sooner, something that may indicate a hacking operation of particular skill (equally, it could mean that eBay’s database security is not fit for purpose).
Following the announcement, eBay claimed that “users will be notified via email, site communications and other marketing channels to change their password”. However so far there have been no reports of emails being received, and only social networks issuing notices.
What you may not know about eBay, Inc. is that it not only owns the popular online auction site www.ebay.com and its international variants, it also owns PayPal.
The unapologetic, limited details releases by eBay do them no favours. While they claim that their other businesses are unaffected by this breach, the fact is that unless eBay prove that they know this for sure, there is no way that we can trust this assertion.
Being realistic, this is a security breach of cataclysmic proportions. The volume and depth of data stolen from accounts is unprecedented.
To make matters worse, phishing emails are now arriving in inboxes around the world as scammers attempt to cash in on the breach (although an unusual aspect to the case is that the data has not yet turned up either on the darker side of the Internet, leading to some uninformed speculation that the breach is little more than a PR exercise.)
The screen cap above was taken on Wednesday, May 21st, the day news of the leak broke. No warnings or advice to be found!
Some other things that you should consider. As of January 2013 there were 112.3 million active users worldwide; 145 million records are said to have been stolen. This leaves the potential for around 30 million unused accounts to be hijacked – more than enough to destroy eBay’s internal ratings and trust system should the hackers so choose. Trust is key to eBay’s business model, and without it, its days could be numbered.
Then there’s the request for people to change their passwords. The site has already experienced performance issues following news of the breach as users flocked to eBay to begin changing passwords.
so we're advised to change our ebay password because it's been hacked… yet I can't because of high traffic. cool.
— Angela (@CRiSPilyMEEE) May 22, 2014
@eBay_UK password reset not working we can't change the passwords on any of our accounts, sends the email reset link but keeps looping
— Carl Watts (@tier1online) May 22, 2014
That’s if users can even find the change password option (hint: click the forgot your password? button to save time).
How on earth do you change your eBay password? The UI is atrocious. Ping @stilgherrian
— Justin Warren (@jpwarren) May 21, 2014
The Financial Data Question: Are Your Card Details Safe?
EBay insists that no financial or credit card data has been compromised, only usernames, passwords and email addresses.
This is an attempt at damage control, however, to minimize outrage.
Say you wanted to access your eBay card details, what would you do? Sign in, or course, with your username and password. While the card number will be largely obscured (save for the final four digits) there is potentially enough information here to give a hacker what they need, from card expiry date to confirmation of your card type, how often you’ve used it. This information is certainly sufficient to pick an individual out as a target, and if cross-referenced with other accounts, possibly more.
Remember, your online identity is basically a dataset of your physical identity. Each element – name, date of birth, address – is like a jigsaw. As more pieces are found, a bigger picture of who you are emerges.
What You Should Do To Protect Your Data?
eBay has stated that its businesses are all kept separate. The implication of this should be that PayPal data is kept completely isolated from eBay data.
However, as the company has been unclear about how the breach occurred and which employees were affected, there is no reason to take this comment seriously.
As such we recommend that you change both your eBay and PayPal passwords. Ensure that these are different, and are not the same as those used for any other online accounts. Furthermore, heed eBay’s advice and address other online accounts you have that used the same password. Our tips on creating a secure password should help you out here. You might also store these in a secure service or app such as LastPass.
In the USA, PayPal offers a two-factor authentication system using a small handheld tool to create a code. While it would seem that there is no similar system in place for eBay, you can in fact get your hands on one for the auction site after you’ve signed up for the PayPal device. The implementation and promotion of these tools has been poor, as you can see, but two-factor authentication is a must for any online service that stores any data about you.
Remember, this is your data that eBay is admitting to having lost. Your name, address, phone number, birthday… you can change your password, but you can’t change them.
This Breach Is Disastrous For eBay
As stated earlier, we believe that changing your passwords and adopting two-factor authentication (where available) for eBay and PayPal is the best course of action.
However, if we consider the lack of information about the breach, the possibility of an internal attack, the lack of data being put up for sale, the potential for 30 million zombie accounts destroying eBay’s seller trust rating and its inability to cope with password resets, there remains a question that has to be asked. Do you really want to be a member of a website that treats user data and security breaches in this way?
If you’re thinking “but eBay is the only decent auction site!” then you’re quite wrong, as there are plenty of alternatives that you should check out.
However, we would encourage you to give this matter serious thought. It might not save your stolen data, but enough people voting with their feet will give other companies cause to act responsibly in these situations in future.
Have you received an email from eBay? Did you change your password already? How do you feel about this breach?
Let us know your thoughts in the comments.