Reactions to the eBay breach

A database containing eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth was compromised. Here are some of the comments we received.

Brian Honan, CEO of BH Consulting and Special Advisor to Europol Cybercrime Centre

Given the size of eBay it should come as no surprise that they would be a large target for many criminals. While the breach raises many concerns and questions, we should remember that there is no such thing as 100% and that eBay has been the victim of a criminal attack. However, there are a number of concerns here with the way eBay have handled the breach. Nearly 10 hours after they announced the breach there was no notification on their website to warn those visiting it their passwords and personal details are at risk and they should change their passwords. There are no prompts to change your password when logging into the site, nor am I aware of any emails being sent to affected customers.

I am also concerned why it has taken so long to notify the public of the breach which was discovered two weeks ago. Given the details we have available it appears the breach originally occurred back in February/March which means the personal data of eBay customers could have been abused by criminals since then. Users should be notified as early as possible that their details have been leaked so they can take necessary precautions to protect themselves.

Clear, concise, timely, and regular communications to those impacted by a breach is one of the key critical factors in successfully managing a security incident and in turn rebuilding customers’ trust in you. Something, I’m afraid eBay have failed to do so far.

The other concern I have is how did the breach happen? eBay state the login credentials of some of their employees were compromised which enabled the criminals to gain further access into the system. Based on the sparse information available this attack has all the hallmarks of a spear phishing attack resulting in the log-in credentials of eBay staff being stolen. However, it is disappointing to think that eBay appears to have not employed some form of multi-factor authentication mechanisms to protect those staff user accounts with access to such sensitive information.

Hopefully eBay will provide more details of the attack over time so that others can learn on how to better secure their systems.

Per Thorsheim, Independent Information Security Advisor, founder of PasswordsCon

SSLLabs has a grade B for signin.ebay.com. No TLS version 1.1 or 1.2, no forward secrecy, no HSTS headers. They still use RC4, and yes, they are indeed PCI compliant. Then again they are far away from what is reckoned as good practice on their SSL configuration. Perhaps not that strongly needed, as PayPal is maybe better, but compared to other online shops I would expect better from eBay.

They also have a set of predefined security questions to help recover your account in case of trouble. The real-life answers to those questions, with some of them being very “american”, should be easily available on Google in some cases. If you decide to enter any other – meaningless – info as your reply to those questions, I wonder how they are stored. Plaintext or encrypted with a master key held by eBay, to be used when authenticating you under special circumstances?

Sergio Galindo, General Manager, Infrastructure Business Unit at GFI Software

Hackers are becoming far more opportunistic today and are frequently targeting easier pickings in an effort to gain access to systems and steal valuable data. In the last few years, most of the high-profile data thefts that have made the news have come about not through complex, large scale attacks that have used distributed or large-scale local networks of machines to breach security. Instead they have come about quite easily by opportunists simply exploiting the IT equivalent of an open window in an otherwise locked building, weak passwords, easily obtainable staff information, and open wireless network connections.

Reports so far suggest that the eBay hacking incident was at least in-part facilitated by lax employee data security. In reality this could be anything from weak and easily discoverable passwords to exploitation of insecure network devices in order to breach a system without throwing up any red flags and with minimal effort and equipment. Alongside hackers tapping into unofficial Wi-Fi hotspots and running through the known default passwords for switches and routers, these are frequent occurrences at organizations globally that not only damages customer confidence and brand value, but also cost money, time and productivity in the short term as the companies affected try to recover.

The potential damage to confidence and reputation is also not helped by the confirmation from eBay that the thefts announced today took place as far back as February. The reasons for the delay are not yet known, but we know from past examples that an early admission of a data loss helps minimize the negative impact on customer confidence.

eBay’s won’t be the last organization to fall foul of weak employee security practices, but it can be a learning point for big and small businesses. Enforce regular password changes, educate staff about the real risks associated with keeping passwords written down in plain sight or in obvious hiding places like the top drawer of a desk, monitor networks for rogue Wi-Fi access points and invest in software to let you manage, control and isolate the barrage of mobile devices that staff and visitors bring in to the workplace and connect to public and private networks.

Paul Ayers, VP EMEA at Vormetric

It’s less than half way through 2014 and we’re already beginning to lose count of the number of big name companies that have fallen foul of hack attacks like this. A common theme of many of these breaches is that they involve cybercriminals actively seeking to compromise insider accounts (focusing most heavily on privileged users like IT administrators) in order to infiltrate systems and steal data using their credentials. Because they are exploiting legitimate access, these attacks can be very difficult to spot- indeed the eBay breach occurred as long ago as between late February and early March. It’s a bit like trying to find a needle in a haystack, except the needle is disguised as a piece of straw.

In the case of the breach at eBay, the cybercriminals have targeted a database containing eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. Enterprise databases are a rich seam of valuable data for hackers and the route to this data is often via users that have the appropriate access rights and network privileges. Even though a portion of it was encrypted, it appears a good deal was not and it is this kind of personal information which is often used by criminals to launch further attacks. That the passwords were encrypted will come as little comfort to the millions of eBay users whose other data may have been accessed.

The most effective way to practically defend systems against this kind of threat is to protect data at its source and provide access on a true need to know basis, which can be achieved by implementing encryption combined with tight access controls as a method of carefully separating users’ network access from their ability to actually read, access and copy data. That way, if user accounts are compromised – as seems to be happening on almost a daily basis – there are more effective controls in place to help mitigate the damage that can be done.

Ilia Kolochenko, CEO of High-Tech Bridge

Unfortunately, the number of such security incidents will only grow in the future. Cloud, decentralised storage and outsourcing spread corporate information across numerous different sources and locations, some of which cannot even be clearly identified. Obviously hackers are looking for the most efficient ways of hacking (time and cost efficient) and will not attack eBay’s front-end as it is quite secure, but rather find one of their partners/suppliers who has access to the data, easily hack him and get the same data as if they hacked eBay directly.

The most dangerous consequence for the end-users is password re-use attacks – when one (or similar) password is being used for several or even all user accounts. Encryption does not really help, as our penetration testing practice shows – over 80% of encrypted hashes [used on web applications] can be bruteforced within 48 hours. But even a 50-random-characters password cannot guarantee a 100% security, as hackers can just intercept passwords in plain-text when users are logging-in for example [in case is hackers have access to web application of course]. This is why eBay is doing a good thing by advising users to change the passwords asap; people should not rely on encryption.

Centralization of data storage, regular and independent security audits and penetration tests can significantly help to improve the situation and minimize the risks.

Chris Boyd, Malware Intelligence Analyst at Malwarebytes

The company says that access to corporate servers was gained when a small number of employees were compromised. Whilst it’s impossible to say for sure until more detail emerges, this could be achieved as the result of a targeted “watering hole’ compromise or someone falling victim to spear phishing or a another form of social engineering. These types of attacks aim to get inside pre-identified targets such as companies and other high-value institutions.

It’s important that people listen to eBay and, when notified by email, change their password, as well as updating any other site which uses the same log-in credentials.

Ben Densham, CTO at Nettitude

As the latest high-profile organisation to fall victim to a data breach incident, eBay provides another warning to all organisations that the threat to businesses is continuing to grow. The fact that employee accounts were compromised in this case is concerning, as robust controls should be in place around these credentials, including behavioural monitoring systems which flag any suspicious behaviour in real-time. While it remains to be seen how these credentials were compromised – whether via a successful phishing email or the involvement of a third party – it is unfortunately unsurprising that these incidents continue to occur.

Data breaches involving customer information can be extremely damaging for any business, as lost customer confidence can be hard to regain. All companies that store client data must ensure they have a rigorous cyber security plan in place, that they identify and manage any areas of high risk and that they are fully prepared with an incident detection and response strategy should the worst happen.

Put simply, organisations must accept that attackers can and will look to exploit any weakness that exist in their security defences. With this in mind, the focus must be on ensuring full network visibility and being able to detect, contain and remediate an attack when – rather than if – the situation arises.

Tom Smith, VP of IDaaS Business Development & Strategy at Gemalto

Employees are the biggest exposure for companies when it comes to data breaches, and a compromised employee login is a serious thing as many companies today don’t keep a current record of who has access to what data. Making it simple for hackers to cause damage or extract data before detection of a breach as in eBay’s case.

eBay discovered a database of consumer personally identifiable information or PII was compromised including encrypted passwords, emails, physical addresses, phone number, and date of birth. This information taken now provides a tremendous amount of ammunition for the hackers to go after these individuals in both a consumer and professional context. Encrypted passwords won’t stand a chance when moved offsite to a hacker environment, and much of the personal data taken doubles as commonly used usernames or security questions for other accounts, essentially removing 75% of the security barriers that websites put up.

Those who have changed their passwords are not exempt, password reuse is an epidemic. You can be certain, if the database was successfully harvested from eBay that these hackers will identify high value targets and execute scripts to cross reference databases across the internet to ultimately discover inroads to other online accounts or networks for their own gain. Best thing those affected can do is change the passwords of any sites reusing that of eBay and implement two-factor authentication on their accounts.

Ondrej Vlcek, Chief Operating Officer at AVAST

Data from our recent survey shows that nine out of ten people intended to change their passwords after Heartbleed, but only 40% took action. This careless attitude is completely irresponsible; people have to take the initiative to protect themselves.

People should change their passwords every three to six months and choose complex passwords containing upper and lower case letters, numbers and symbols. Moreover, each account, especially accounts containing personal information and credit card details should have its own password. In a situation like this you really don’t want your PayPal and eBay accounts to have the same passwords.

Don't miss