Attacks/Breaches
5/21/2014
12:40 PM
50%
50%

eBay Database Hacked With Stolen Employee Credentials

Encrypted passwords and other sensitive data exposed, users urged to change passwords.

eBay is asking users to change their passwords in light of a cyberattack that compromised a database containing encrypted passwords and other data.

The company says that it has not found any evidence of the compromise causing unauthorized activity among eBay users, and no financial data has been impacted. In response to the attack, the company says it shut down unauthorized access and put additional security measures in place, though it did not say specifically what those measures are.

"Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network," according to a statement eBay posted online. "Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers."

According to the company, the compromise happened between late February and early March and was detected roughly two weeks ago. The database that was hit contained a plethora of information: customer names, encrypted passwords, email passwords, physical addresses, phone numbers, and birthdays. It did not contain financial or other confidential information, and there has been no evidence of unauthorized access or compromises related to information for PayPal users, according to eBay. 

PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted, eBay noted. Likewise, the company says it has not found evidence of unauthorized access to other sites operated by eBay Marketplaces, such as StubHub, eBay Classifieds, Tradera, GMarket, GumTree, or GittiGidiyor.

This breach highlights the importance of companies placing tighter controls on how user credentials are stored and protected, says Brendan Rizzo, Technical Director for Voltage Security.

"It is unlikely the attackers would be able to use the stolen passwords, since eBay, abiding by good security practices, should have 'hashed' and 'salted' its passwords," says Rizzo. "If this was performed correctly, then users should not be concerned about their passwords being compromised. The more worrying aspect of this disclosure is that it appears that the other personally-identifiable information was left completely unprotected. This information would give the attackers almost all of the information they need to undertake fraudulent activity on the compromised user's behalf."

Two concerns stand out: One, passwords will eventually be decrypted, and two, attackers will now have access to data making it easier for them to sound legit, says Trey Ford, Global Security Strategist at Rapid7.

"Users should be wary of anyone contacting them claiming to be eBay or any other company for that matter," he says. "Expect an uptick in phishing, do not click links in email, or discuss anything over the phone. Call customer service or go directly to websites as you normally would."

eBay says it is working with law enforcement. Any users who utilize the same password on other sites as they do for eBay should change the passwords for those sites as well.

As of the end of the first quarter of 2014, eBay had 145 million active buyers.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
5/22/2014 | 11:12:33 AM
Re: Paypal and eBay Correlations
I completely agree, despite eBay's protestations to the contrary. It took several weeks for eBay to alert users to this breach. We've seen other instances where a company's initial breach was downplayed, only to eventually be determined to encompass many millions more users or be much more far-reaching than originally thought. Why take the chance?
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
5/22/2014 | 11:10:50 AM
Re: eBay hack shines light on failure of many organizations
Until companies stop getting a pass that this is "business as usual," I don't see this happening. You want to reward those large corporations that don't get hacked -- but doing so would put a big target on them (or, really, an even bigger target on their networks). Surely some organizations are doing security right?
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/21/2014 | 10:15:28 PM
Paypal and eBay Correlations
One thing to point out here is that eBay acquired Paypal back in the early 2000's. Having been a member of both I know that the password set standards use to be identical, I can't remember if paypal changed their standards.

If phishing is noteworthy in this instance, pointed out from eBay inc than that means email addresses were compromised or usernames, something of that ilk. I would highly recommend changing your paypal password as well because although security professionals understand that it may not be a good idea to have passwords be the same; the average person enjoys simplicity. It very may be that many people have the same credentials for both.

I urge everyone to change their paypal password as well, especially if it matches their eBay password. 
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
5/21/2014 | 7:21:57 PM
Monitoring Needs Higher Budget Consideration
Like any other aspect of security implementation, I think companies balk at user access/usage pattern monitoring when they look at the infrastructure requirements.  And they shouldn't: social and soft cyber-crime can be the most dangerous, and malevolent staff are the weak link in most companies.  Monitoring should be at the top of the budget for security, from key-card usage to http gets, and phone call patterns to lunch habits.  Anyone who worries about a "big brother" environment isn't taking their responsibility to keep company assets secure seriously.  People security reaches to all levels, from technical access to work satisfaction.  Human psychology familiarity is a necessary tool in today's discipline of InfoSec and, sadly, it's time to start assuming every employee is a security risk factor.
Kurt Johnson
100%
0%
Kurt Johnson,
User Rank: Strategist
5/21/2014 | 4:49:45 PM
eBay hack shines light on failure of many organizations
This latest data breach news from eBay also shines a light on the fact that organizations fail to monitor user access activity for abnormal patterns on a continuous basis. The attack, carried out when hackers compromised employee log-in credentials and obtained unauthorized access to eBay's corporate network, is becoming classic (think Target). In fact, the 2014 Verizon DBIR highlighted this type of breach in their "insider and privilege misuse" section; noting the common hacking technique of stealing credentials and then escalating privileges to gain access to sensitive information. So, what can organizations do to quell the effects of this type of breach? Our prescription: reduce the threat surface, and detect permissions escalation and abnormal behavior by cleaning up IAM's most wanted offenders (abandoned, orphan and privileged accounts, and unnecessary entitlements). Better controls around user access combined with actively monitoring who is accessing what, when, where and why is critical to helping defray such attacks. 
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/21/2014 | 2:11:24 PM
eBay Database Hacked With Stolen Employee Credentials.
Soon we are gonna have to start using tokens to login to any site. Passwords being stolen are starting to be common place. Lets start a trend, call for multi-factor for all sites. Just a thought.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8896
Published: 2014-12-22
The Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 allows remote authenticated users to modify ...

CVE-2014-8897
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

CVE-2014-8898
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.