7 Facts: eBay Fumbles Password Reset WarningOnline auction site criticized for notification misfire, failing to make password resets mandatory.
Security alert to all eBay users: Change your passwords now.
That warning was issued Wednesday by eBay, which announced that hackers stole legitimate employee login credentials and used them to access eBay's network and steal a database containing information on 145 million users. The stolen database included personal information on users stored in plaintext format, as well as hashed and salted copies of their eBay passwords.
Here's what's known so far about the breach, how eBay has responded, as well as what users should do and expect in the wake of the breach.
1. Breach undetected for two months
While the breach appears to have occurred in late February or early March -- after attackers stole several employees' login credentials -- the theft and unauthorized use of those credentials wasn't detected until "about two weeks ago," thus triggering an investigation, eBay said in a blog post Wednesday. "Extensive forensics subsequently identified the compromised eBay database."
Having a breach last for at least two months before it's detected isn't unusual. According to a study of 2013 breaches released Wednesday by Trustwave, when a business self-detects a breach, that detection takes place -- on average -- 32 days after the breach occurred. Meanwhile, when an organization learns about the breach from a third party, an average of 108 days, or more than three months, will have elapsed from breach to notification.
2. Unclear: Password encryption strength
One worry, however, is that after having stolen eBay passwords available offline, attackers may have had time to recover them, using next-generation password-cracking systems.
An eBay spokesman didn't immediately respond to an emailed request for more information about exactly how the passwords had been encrypted. That information could help information security experts estimate if -- or for how long -- the stolen passwords might be safe.
To be clear, eBay said there's no indication that the stolen, encrypted password data has been cracked and used by attackers. Likewise, the company said that all financial information, including that pertaining to subsidiary PayPal, was stored separately. "PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted."
3. Public notification: eBay stumbled
eBay arguably fumbled its public breach notification after Engadget reported seeing a half-finished PayPal blog post Wednesday warning people to change their eBay passwords. But after that news broke, and eBay posted an official statement on its website, it still took the online auction business more than 24 hours to send an email alert to all of its users.
In the meantime, the password-reset advisory remained noticeably absent from the online auction site's homepage or login screen for some hours, leading security expert Graham Cluley to ask why eBay seemed to be "burying news of its security breach from its millions of Web visitors."
When the company eventually did put a warning on its homepage, it linked to a static warning message, leaving users to navigate multiple drop-down menus, and execute at least a half-dozen clicks, to try and locate the password reset page.
What would have been simpler is if eBay's website notice included a link to its password-reset page.
4. Beware phishing attacks
Going forward, expect online attackers to begin quickly capitalizing on the eBay password reset warning. "When major news like this breaks, it opens the door for eBay or PayPal phishing campaigns to be more effective, since the general public is familiar with the situation and may not realize they're being duped," said Troy Gill, senior security analyst at AppRiver, in an emailed statement.
Longstanding advice about never clicking on links in emails -- lest they're a phishing attack in disguise -- applies here. "To be safe, users should not click on links in emails about eBay security or password changes; instead, they should type the eBay URL directly into their browsers and log into the site that way to prevent disclosing their credentials to spoofed, malicious copies of the eBay site," said Dwayne Melancon, CTO of Tripwire, in an email.
Also beware eBay's actual attackers taking stolen plaintext data -- which included eBay users' names, email addresses, and birth dates -- to fashion more realistic-looking fake messages.
5. eBay fails to practice tough love
In the wake of the breach, one security step that eBay didn't take, but should have -- in the eyes of many security experts -- was to forcibly
Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.
View Full Bio
1 of 2