Attacks/Breaches
5/22/2014
11:10 AM
Connect Directly
RSS
E-Mail
50%
50%

7 Facts: eBay Fumbles Password Reset Warning

Online auction site criticized for notification misfire, failing to make password resets mandatory.

Security alert to all eBay users: Change your passwords now.

That warning was issued Wednesday by eBay, which announced that hackers stole legitimate employee login credentials and used them to access eBay's network and steal a database containing information on 145 million users. The stolen database included personal information on users stored in plaintext format, as well as hashed and salted copies of their eBay passwords.

Here's what's known so far about the breach, how eBay has responded, as well as what users should do and expect in the wake of the breach.

1. Breach undetected for two months
While the breach appears to have occurred in late February or early March -- after attackers stole several employees' login credentials -- the theft and unauthorized use of those credentials wasn't detected until "about two weeks ago," thus triggering an investigation, eBay said in a blog post Wednesday. "Extensive forensics subsequently identified the compromised eBay database."

Having a breach last for at least two months before it's detected isn't unusual. According to a study of 2013 breaches released Wednesday by Trustwave, when a business self-detects a breach, that detection takes place -- on average -- 32 days after the breach occurred. Meanwhile, when an organization learns about the breach from a third party, an average of 108 days, or more than three months, will have elapsed from breach to notification.

2. Unclear: Password encryption strength
One worry, however, is that after having stolen eBay passwords available offline, attackers may have had time to recover them, using next-generation password-cracking systems.

An eBay spokesman didn't immediately respond to an emailed request for more information about exactly how the passwords had been encrypted. That information could help information security experts estimate if -- or for how long -- the stolen passwords might be safe.

To be clear, eBay said there's no indication that the stolen, encrypted password data has been cracked and used by attackers. Likewise, the company said that all financial information, including that pertaining to subsidiary PayPal, was stored separately. "PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted."

3. Public notification: eBay stumbled
eBay arguably fumbled its public breach notification after Engadget reported seeing a half-finished PayPal blog post Wednesday warning people to change their eBay passwords. But after that news broke, and eBay posted an official statement on its website, it still took the online auction business more than 24 hours to send an email alert to all of its users.

In the meantime, the password-reset advisory remained noticeably absent from the online auction site's homepage or login screen for some hours, leading security expert Graham Cluley to ask why eBay seemed to be "burying news of its security breach from its millions of Web visitors."

When the company eventually did put a warning on its homepage, it linked to a static warning message, leaving users to navigate multiple drop-down menus, and execute at least a half-dozen clicks, to try and locate the password reset page.

What would have been simpler is if eBay's website notice included a link to its password-reset page.

4. Beware phishing attacks
Going forward, expect online attackers to begin quickly capitalizing on the eBay password reset warning. "When major news like this breaks, it opens the door for eBay or PayPal phishing campaigns to be more effective, since the general public is familiar with the situation and may not realize they're being duped," said Troy Gill, senior security analyst at AppRiver, in an emailed statement.

Longstanding advice about never clicking on links in emails -- lest they're a phishing attack in disguise -- applies here. "To be safe, users should not click on links in emails about eBay security or password changes; instead, they should type the eBay URL directly into their browsers and log into the site that way to prevent disclosing their credentials to spoofed, malicious copies of the eBay site," said Dwayne Melancon, CTO of Tripwire, in an email.

Also beware eBay's actual attackers taking stolen plaintext data -- which included eBay users' names, email addresses, and birth dates -- to fashion more realistic-looking fake messages.

5. eBay fails to practice tough love
In the wake of the breach, one security step that eBay didn't take, but should have -- in the eyes of many security experts -- was to forcibly

Next Page

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
5/30/2014 | 12:32:00 AM
Notification
I find the notification issues raised here troubling. The safest thing to do would be to do a forced reset, and to make the process for changing user passwords as simple as possible.

BP
dan.euritt
50%
50%
dan.euritt,
User Rank: Apprentice
5/25/2014 | 12:51:13 AM
Re: Ebay password change
I changed my Ebay password, but I'm still getting the reminder to change it. I guess that leaving the notice up is the easiest way to reach everyone.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
5/22/2014 | 1:19:58 PM
Time for Nok Nok Labs?
Not to be flippant, but with Samsung and PayPal turning to Nok Nok Labs, perhaps eBay could follow their lead. Dark Readings has covered Nok Nok Labs many times and I thought this was a nice nutshell: http://www.darkreading.com/risk/nok-nok-labs-delivers-on-vision-for-modern-authentication/d/d-id/1141317?

Their S3 Suite consists of:

-- The NNL(TM) Multifactor Authentication Server (MFAS), which provides a unified, flexible authentication infrastructure that enables user-friendly strong authentication for any device, any authenticator and any application.

-- The NNL(TM) Multifactor Authentication Client (MFAC) Mobile Edition with support for Android and iOS devices, which enables users to authenticate to any application using the existing security capabilities of their mobile devices. Also includes the Mobile App SDK and Authenticator Specific Module (ASM) SDK.

-- The NNL(TM) Multifactor Authentication Client (MFAC) Desktop Edition, with support for Windows 7 and Windows 8, provides user-friendly strong authentication to any application by unleashing the existing security capabilities of billions of desktops and mobile devices.

Call me crazy, but any site dealing with my money had better be securing their infrastructure at a minimum of this level of authentication.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
5/22/2014 | 1:19:40 PM
Re: PayPal
Right there with you, Lorna! That was my first question too -- and despite eBay's protestations to the contrary, I'd recommend changing that PayPal password.
Lorna Garey
100%
0%
Lorna Garey,
User Rank: Ninja
5/22/2014 | 11:28:02 AM
PayPal
My immediate thought was, is PayPal affected? I mean, so maybe someone logs in as me and bids on and wins something on eBay. That's bad. Using my PayPal to pay for it?Much, much worse. Nice to hear that "PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted." Would be nicer if that were independently confirmed.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.