eBay Hacked - User Database Compromised

[Torand]

Saucey Sauces:

 

http://www.bbc.co.uk/news/technology-27503290

http://www.theverge.com/2014/5/21/5737914/ebay-will-ask-all-customers-to-change-passwords-after-massive-breach

 

 

 

BBC:

Ebay urges users to change passwords

 

 

Auction site eBay is forcing users to change their passwords after a cyber-attack compromised its systems.

 

The US firm said a database had been hacked between late February and early March, and had contained encrypted passwords and other non-financial data.

The company added that it had no evidence of there being unauthorised activity on its members' accounts.

However, it said that changing the passwords was "best practice and will help enhance security for eBay users".

The California-based company has 128 million active users and accounted for $212bn (£126bn) worth of commerce on its various marketplaces and other services in 2013.

A post on eBay's corporate site said that cyber-attackers accessed the information after obtaining "a small number of employee log-in credentials", allowing them to access its systems - something it only became aware of a fortnight ago.

"The database... included eBay customers' name, encrypted password, email address, physical address, phone number and date of birth," it said.

"However, the database did not contain financial information or other confidential personal information.

"Extensive forensics subsequently identified the compromised eBay database, resulting in the company's announcement today."

Although the firm also owns the PayPal money transfer service, it said that the division's data was stored separately, encrypted and that there was no evidence that it had been accessed.

It added that any members who used the same login details used on eBay for other sites should also update them.

EBay has not provided any information about the kind of encryption it used.

One expert said there was still a concern that the hackers might be able to make use of their haul.

"We all know that given enough time hackers can crack some encrypted password files," said Alan Woodward, an independent security consultant.

"The slightly worrying aspect of this is that the hackers have a nice neat list of personal information, which can be used to steal identities or even help them get around other systems though password reset scams."

 

 

 

 

The Verge:

eBay will ask all customers to change passwords after massive breach

 

 

Later today, eBay will begin asking all of its 112 million customers to change their passwords, in the wake of a newly discovered database breach. The breach compromised a database containing a list of encrypted passwords that, once released in the wild, could potentially be decrypted through publicly available tools. As a result, eBay is asking users to change passwords as soon as possible. Officials say no financial data was implicated, and the company hasn't found any evidence of unauthorized activity resulting from breach.

 

ATTACKERS OBTAINED EMPLOYEE LOG-IN CREDENTIALS

 

The attack itself took place some time between late February and early March, when attackers obtained a group of employee log-in credentials, allowing access to the larger database. Even after the attack, eBay wasn't aware of the compromise until two weeks ago, and it took detailed forensic analysis to implicate the password database, resulting in today's announcement.

 

In addition to passwords, the database contained basic login information like name, email, phone number, address and date of birth, but officials stressed that no confidential or personal information was included in the breach. Paypal was not involved in the breach, as PayPal data is kept on a separate network with higher levels of encryption. Still, a site-wide password reset is generally seen as the best response to this kind of breach. eBay also reminded users to make the change at any other sites where they had used the same password, a bad security practice that is nonetheless widespread.

 

 

 

 

So, it's still a developing story, so stay tuned for more news.

 

 

 

Kinda mixed on my reaction:

 

A - PLEASE, just say if you think your users data has been compromised, at the end of the day it is their personal information at risk

 

B - BUT - there is, granted, a need to run internal assessments on what has been compromised and how to patch the issue.

 

 

 

Just to reiterate, this is the data that has been compromised: Encrypted password, customer: name, email address, physical address, phone number and date of birth. So pretty much everything that isn't financial.

 

 

 

Now that the news on this has matured since my initial posting, my revised opinions:

 

 

Obviously, a breach like this is not acceptable, but your systems can never be 100% safe and at least the data wasn't financial and they didn't do something stupid like leaving the passwords in plain text. Although the general information pertaining to the user is rather personal, despite what eBay thinks, it's nothing you couldn't easily find in public records or on social media if you really tried looking.

 

It is certainly something in which they couldn't really have prepared against, unless they provided the employees with regular password resets or a two step verification method, especially when said employees are handling sensitive information.

 

As for the employees information (although not really stated how the hackers obtained the logins), well, was it; a willing pass of their login credentials? details sold off for a quick 'buk? Drunken mistake on the employees behalf? Phising? The list of speculation goes on...

 

I'm not trying to defend eBay by any stretch of the imagination, what has happened will hopefully make them buckle up internal employee logins to harbour more appropriate security measures. But it certainly could have been much, much worse.

[geogga]

Dude don't do that

[Jogostar]

- coming in a minute -

dammit people, just write it first.

[AlexGoesHigh]

god dammit, is getting annoying that i prepare a post to them get stolen by someone that just reserved the thread, with just 2 words -__-

[Torand]

dammit people, just write it first.

 

 

god dammit, is getting annoying that i prepare a post to them get stolen by someone that just reserved the thread, with just 2 words -__-

 

 

Guy's it's mainly because it is breaking news, it has literally just come out in the last few minutes. I was less than 30 seconds getting the information up and ready anyway, you guys are just click happy!

[Drown]

 

Later today, eBay will begin asking all its customers to change their passwords, in the wake of a newly discovered breach. The breach compromised a database that included unencrypted passwords, but eBay officials say no financial data was implicated. The breach was first discovered two weeks ago, and took place some time between late February and early March.

 

unencrypted passwords, are you kidding me?

(the other article says they are encrypted though, it makes more sense)

[flibberdipper]

When was the breach? I was on there about 15 minutes ago and it wasn't asking me to change it.

[xXxYOLOxSWAGxXx_420BlazeIt]

Guy's it's mainly because it is breaking news, it has literally just come out in the last few minutes. I was less than 30 seconds getting the information up and ready anyway, you guys are just click happy!

but youve not even written anything.

 

you have just copied and pasted two websites.

[CCap]

unencrypted passwords, are you kidding me?

I was just about to say the same thing.

 

You'd think for a multi-billion dollar company they'd be able to take the time to encrypt passwords and other personal information...

[iain]

well. I will change my password. Other than that i trust ebay will sort out the issue.

[Torand]

but youve not even written anything.

 

you have just copied and pasted two websites.

 

Er, no. I always comment on the news in my posts. Go check my other posts, I always do.

 

And anyway, I place the website information on here to allow people to quickly read the article without having to click through to the website.

 

Not like anyone reads my opinion anyway, in which I really don't care about, but at least I put effort into not just copying and pasting the website.

[Foxxer]

Oh man, bought some stuff from there. Hope I don't get scammed or something.

[xXxYOLOxSWAGxXx_420BlazeIt]

Er, no. I always comment on the news in my posts. Go check my other posts, I always do.

 

And anyway, I place the website information on here to allow people to quickly read the article without having to click through to the website.

the two comments you added AFTER "reserving" a thread, and then pasting in what other people wrote from those two sources add literally nothing.

 

Kinda mixed on my reaction:

 

A - PLEASE, just say if you think your users data has been compromised, at the end of the day it is their personal information at risk

 

B - BUT - there is, granted, a need to run internal assessments on what has been compromised and how to patch the issue.

 

 

 

Its honestly like youre just writing stuff for the sake of writing stuff.

 

A - They HAVE said that its been compromised.

B - There is no issue to "patch". If you read the stories you copy and pasted you would realise that its the fault of employees falling for social engineering, and not a software exploit.

[Torand]

the two comments you added AFTER "reserving" a thread, and then pasting in what other people wrote from those two sources add literally nothing.

 

 

Its honestly like youre just writing stuff for the sake of writing stuff.

 

A - They HAVE said that its been compromised.

B - There is no issue to "patch". If you read the stories you copy and pasted you would realise that its the fault of employees falling for social engineering, and not a software exploit.

 

I'm not arguing any more.

 

This is a news thread, I brought the news.

 

I add the comments with the articles; people don't really read them anyway (don't care), but still it's my opinions at that time, no matter how invalid they are, or people think they are.

 

After reading, now, what has come out since posting my initial comments then yes, I am wrong. 

 

This is the first time, after plenty news posts, that I did (for less than 30 seconds) just reserve a news post. Trust me, won't be reserving again.

 

Sorry, OK? Just trying to bring you guys news...

[Drown]

@MysteriousKiwi

 

 

but still it's my opinions at that time, no matter how invalid they are

 

The point is, at least do a minimum of research before posting like this. Instead of making comments that contradits the article that you quote/link to.

 

But yeah it's getting off-topic, thanks anyways from bringing the news but it's kinda annoying that people make topic super fast (and reserving posts) just to be sharing the news, when they don't even read or understand what they are talking about.

[Torand]

@MysteriousKiwi

 

 

The point is, at least do a minimum of research before posting like this. Instead of making comments that contradits the article that you quote/link to.

 

But yeah it's getting off-topic, thanks anyways from bringing the news but it's kinda annoying that people make topic super fast (and reserving posts) just to be sharing the news, when they don't even read or understand what they are talking about.

 

I posted that comment when the articles were still just one~ish paragraph, simply stating that the data was leaked, nothing more on what eBay had conducted, what had been leaked, how it happened, etc.. 

 

Now, yeh, I'd certainly change it, with the information that has since come out.

[wilbso]

Dammit, this is the third thing that's been hijacked in the last few months....

[razor767]

Just changed my password, thanks for the heads up.

[DLM_012]

 

I signed up for an eBay account three days ago just to buy a PS2 to USB converter, never intending to use it again.

 

Why you do this? Now I have to change pass. Such hassle.

 

 

Get a password manager. No longer any problems. Click the generate button a few times and be happy.

[WanderingFool]

I really hope that when eBay says "encrypted" in their response, they are actually talking about salted and hashed passwords (which btw encryption, while sometimes used to talk about hashed passwords is not actually hashing passwords, it is something else)

 

In my opinion worst to best ways to store passwords

plain-text (unencryped) - speaks for itself

 

encrypted - While there aren't rainbow tables, the simple/common passwords could be guessed and "matched up" (e.g. if you know 1 person who had 1234 as a password, you can find everyone else who had 1234, and those types of people probably recycle passwords).  The worst case is if the list gets leaked and people find out the decryption key, if they do then the entire list can be read (which is why this is worse than hashed passwords)

 

hashed - There are enough rainbow tables out there that make finding the simple/semi-complex passwords very easy.  This is almost tied with encryption in my mind, but the risk of complex passwords being leaked is what makes me choose hashed over encryption

 

salted-hashed - The current gold standard.  Since each account uses it's own number/characters to salt the password before it is hashed, all the hashed values with the same password should be different.  This means no rainbow tables, each password has to be guess and checked.  So it takes a lot more processing, and you would have to more or less target one person.

[IAmSkip]

Why isn't ALL the information encrypted?

That means potentially my personal information such as WHERE I LIVE, MY NAME, WHEN I WAS BORN AND MOBILE NUMBER are in the hands of someone else,

that's verging on enough information for someone to be able to create a false identity and impersonate me...

[WanderingFool]

Why isn't ALL the information encrypted?

That means potentially my personal information such as WHERE I LIVE, MY NAME, WHEN I WAS BORN AND MOBILE NUMBER are in the hands of someone else,

that's verging on enough information for someone to be able to create a false identity and impersonate me...

Cost is actually a major concern here I would suspect.

 

With passwords it is easy to do a bit of processing, as people who navigate their site will likely only sign in once.  So say I visited 20-50 pages while logged into Amazon.  If all of my information was fully encrypted then I would be constantly accessing it and decrypting it (for things like shipping estimates).  While this might seem trivial, it can add up to quite a bit extra costs when you consider that they would likely need more servers to handle the added load of just accessing a page, and the extra delay of decrypting everything every time you need it

[TAK]

Interesting, I actually changed my password a few weeks ago due to the Heartbleed bug, so I'd say I'm safe. Then again I haven't used the account for months, so might just delete the damn thing to safe me some headaches.

[jaqiefox]

Er, no. I always comment on the news in my posts. Go check my other posts, I always do.

 

And anyway, I place the website information on here to allow people to quickly read the article without having to click through to the website.

 

Not like anyone reads my opinion anyway, in which I really don't care about, but at least I put effort into not just copying and pasting the website.

 

 

What use is it when you force the text color of your entire post to the same color as the background of the forum when the forum is in 'dark colors mode'?

 

And don't tell me to just switch to the default, I have scotopic sensetivity syndrome which makes it almost impossible to read things on a white background.

[Torand]

What use is it when you force the text color of your entire post to the same color as the background of the forum when the forum is in 'dark colors mode'?

 

And don't tell me to just switch to the default, I have scotopic sensetivity syndrome which makes it almost impossible to read things on a white background.

 

What are you on about? ...

 

I haven't forced any colours? At least I haven't changed any colours, just typed out my post...

 

Whats with the aggression? Why would I have a problem with it? Help me out here, you've thrown me for 6...  :huh: