eBay's In With the Breached Crowd
eBay just became a member of a group no company wants to join: the corporate cybercrime victims club. Repeating a pattern that's now become familiar, the company reassured customers that the hackers didn't get anything of great value, but it advised them to change their passwords to be on the safe side. They should also be on the lookout for spearphishing attempts and perhaps a lot more spam.
May 21, 2014 3:32 PM PT
If there's a list of retailers that have not exposed their customers' data to a security breach, it just got shorter. The most recent company to confess to being hacked is eBay, which on Wednesday began sending emails urging customers to change their passwords.
eBay announced that a cyberattack had compromised a database containing encrypted passwords and other nonfinancial data and that a "small number" of employee login credentials were compromised. Extensive tests failed to turn up any evidence that the hack resulted in unauthorized activity for eBay users, the company said.
In addition, financial and credit card information, which is stored separately in encrypted formats, remained safe, eBay said.
The breach took place between late February and early March and was detected about two weeks ago.
A Run-of-the-Mill Breach?
As hacks go, eBay's appears to have been fairly benign -- at least, based on what has been revealed so far.
"Fortunately, the eBay account passwords were encrypted, so it will be more difficult for attackers to retrieve the plaintext passwords and use them to impersonate people," Craig Young, security researcher for Tripwire, told the E-Commerce Times.
Urging users to change their passwords is simply good sense, he explained.
"You never really know how your passwords are being saved on the server or who might have access to view them," he explained. "When sites are breached and passwords are exposed, popular services such as Facebook and Gmail tend to get an influx of login attempts using the breached credentials. Once an attacker gains access to additional services, they try to use that to compromise other accounts through password reset procedures."
2-factor Authentication Is Key
Basically, no site can claim to be truly secure unless it is using two-factor authentication, Mark Stanislav, security evangelist at Duo Security, told the E-Commerce Times.
The specific eBay accounts that were hacked probably were not protected by two-factor authentication, he guessed.
"It's critical that organizations not only provide their customers with strong authentication options, but also utilize those same best practices broadly across the organization to limit the availability of sensitive customer information from an attacker," Stanislav said.
"In the wake of such high-profile breaches as eBay, Adobe and Target, it cannot be overstated how important it is for organizations to use two-factor authentication," he emphasized.
Fraudsters Still Phishing
eBay's customers are not home free, despite the initial reassurances from the company. For starters, the databases could have been more severely compromised than eBay first discovered. That happened last year to Target. Following its initial revelation, it then had to confess to yet more security breaches.
The information that was compromised -- customer names, email addresses, physical addresses, phone numbers and birth dates -- can be used for identity theft or subsequent spearphishing attacks against the victims, noted Bogdan Botezatu, senior e-threat analyst at Bitdefender.
"For instance, an attacker could use the email addresses to spam victims with false warnings about their banking accounts used with eBay in order to get their hands on financial information," he told the E-Commerce Times.
"Such a message could urge the user to log into their e-banking account to check the bank statement, but instead could lead them to a spoofed banking page that asks for their user name, password, credit card number or other private details."