Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/21/2014
12:40 PM
50%
50%

eBay Database Hacked With Stolen Employee Credentials

Encrypted passwords and other sensitive data exposed, users urged to change passwords.

eBay is asking users to change their passwords in light of a cyberattack that compromised a database containing encrypted passwords and other data.

The company says that it has not found any evidence of the compromise causing unauthorized activity among eBay users, and no financial data has been impacted. In response to the attack, the company says it shut down unauthorized access and put additional security measures in place, though it did not say specifically what those measures are.

"Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network," according to a statement eBay posted online. "Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers."

According to the company, the compromise happened between late February and early March and was detected roughly two weeks ago. The database that was hit contained a plethora of information: customer names, encrypted passwords, email passwords, physical addresses, phone numbers, and birthdays. It did not contain financial or other confidential information, and there has been no evidence of unauthorized access or compromises related to information for PayPal users, according to eBay. 

PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted, eBay noted. Likewise, the company says it has not found evidence of unauthorized access to other sites operated by eBay Marketplaces, such as StubHub, eBay Classifieds, Tradera, GMarket, GumTree, or GittiGidiyor.

This breach highlights the importance of companies placing tighter controls on how user credentials are stored and protected, says Brendan Rizzo, Technical Director for Voltage Security.

"It is unlikely the attackers would be able to use the stolen passwords, since eBay, abiding by good security practices, should have 'hashed' and 'salted' its passwords," says Rizzo. "If this was performed correctly, then users should not be concerned about their passwords being compromised. The more worrying aspect of this disclosure is that it appears that the other personally-identifiable information was left completely unprotected. This information would give the attackers almost all of the information they need to undertake fraudulent activity on the compromised user's behalf."

Two concerns stand out: One, passwords will eventually be decrypted, and two, attackers will now have access to data making it easier for them to sound legit, says Trey Ford, Global Security Strategist at Rapid7.

"Users should be wary of anyone contacting them claiming to be eBay or any other company for that matter," he says. "Expect an uptick in phishing, do not click links in email, or discuss anything over the phone. Call customer service or go directly to websites as you normally would."

eBay says it is working with law enforcement. Any users who utilize the same password on other sites as they do for eBay should change the passwords for those sites as well.

As of the end of the first quarter of 2014, eBay had 145 million active buyers.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/21/2014 | 2:11:24 PM
eBay Database Hacked With Stolen Employee Credentials.
Soon we are gonna have to start using tokens to login to any site. Passwords being stolen are starting to be common place. Lets start a trend, call for multi-factor for all sites. Just a thought.
Kurt Johnson
100%
0%
Kurt Johnson,
User Rank: Strategist
5/21/2014 | 4:49:45 PM
eBay hack shines light on failure of many organizations
This latest data breach news from eBay also shines a light on the fact that organizations fail to monitor user access activity for abnormal patterns on a continuous basis. The attack, carried out when hackers compromised employee log-in credentials and obtained unauthorized access to eBay's corporate network, is becoming classic (think Target). In fact, the 2014 Verizon DBIR highlighted this type of breach in their "insider and privilege misuse" section; noting the common hacking technique of stealing credentials and then escalating privileges to gain access to sensitive information. So, what can organizations do to quell the effects of this type of breach? Our prescription: reduce the threat surface, and detect permissions escalation and abnormal behavior by cleaning up IAM's most wanted offenders (abandoned, orphan and privileged accounts, and unnecessary entitlements). Better controls around user access combined with actively monitoring who is accessing what, when, where and why is critical to helping defray such attacks. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
5/22/2014 | 11:10:50 AM
Re: eBay hack shines light on failure of many organizations
Until companies stop getting a pass that this is "business as usual," I don't see this happening. You want to reward those large corporations that don't get hacked -- but doing so would put a big target on them (or, really, an even bigger target on their networks). Surely some organizations are doing security right?
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
5/21/2014 | 7:21:57 PM
Monitoring Needs Higher Budget Consideration
Like any other aspect of security implementation, I think companies balk at user access/usage pattern monitoring when they look at the infrastructure requirements.  And they shouldn't: social and soft cyber-crime can be the most dangerous, and malevolent staff are the weak link in most companies.  Monitoring should be at the top of the budget for security, from key-card usage to http gets, and phone call patterns to lunch habits.  Anyone who worries about a "big brother" environment isn't taking their responsibility to keep company assets secure seriously.  People security reaches to all levels, from technical access to work satisfaction.  Human psychology familiarity is a necessary tool in today's discipline of InfoSec and, sadly, it's time to start assuming every employee is a security risk factor.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/21/2014 | 10:15:28 PM
Paypal and eBay Correlations
One thing to point out here is that eBay acquired Paypal back in the early 2000's. Having been a member of both I know that the password set standards use to be identical, I can't remember if paypal changed their standards.

If phishing is noteworthy in this instance, pointed out from eBay inc than that means email addresses were compromised or usernames, something of that ilk. I would highly recommend changing your paypal password as well because although security professionals understand that it may not be a good idea to have passwords be the same; the average person enjoys simplicity. It very may be that many people have the same credentials for both.

I urge everyone to change their paypal password as well, especially if it matches their eBay password. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
5/22/2014 | 11:12:33 AM
Re: Paypal and eBay Correlations
I completely agree, despite eBay's protestations to the contrary. It took several weeks for eBay to alert users to this breach. We've seen other instances where a company's initial breach was downplayed, only to eventually be determined to encompass many millions more users or be much more far-reaching than originally thought. Why take the chance?
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8071
PUBLISHED: 2019-10-17
Adobe Download Manager versions 2.0.0.363 have an insecure file permissions vulnerability. Successful exploitation could lead to privilege escalation.
CVE-2019-10752
PUBLISHED: 2019-10-17
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
CVE-2019-12611
PUBLISHED: 2019-10-17
An issue was discovered in Bitdefender BOX firmware versions before 2.1.37.37-34 that affects the general reliability of the product. Specially crafted packets sent to the miniupnpd implementation in result in the device allocating memory without freeing it later. This behavior can cause the miniupn...
CVE-2019-13657
PUBLISHED: 2019-10-17
CA Performance Management 3.5.x, 3.6.x before 3.6.9, and 3.7.x before 3.7.4 have a default credential vulnerability that can allow a remote attacker to execute arbitrary commands and compromise system security.
CVE-2019-15626
PUBLISHED: 2019-10-17
The Deep Security Manager application (Versions 10.0, 11.0 and 12.0), when configured in a certain way, may transmit initial LDAP communication in clear text. This may result in confidentiality impact but does not impact integrity or availability.