Some online institutions have been around longer than others, and nobody could call eBay some unreliable fly-by-night. Certainly anyone who has emigrated to Spain in the past decade or so probably relied upon their services to get rid of all the stuff they didn’t want to pack and shift, and if only the mail were better and cheaper around here we’d all still be using them a lot more often.
But the world’s largest auction site uses the same encryption technology as every other organisation that securely processes payment information on behalf of thousands of people – and as such, it does have the same vulnerabilities and potential to compromise. And so, it would seem, eBay have been the victim of a security breach.
The way the news broke on May 21st certainly seems a little odd, with a blog post appearing briefly on the blog at Paypal, comprising only the title “”eBay, Inc. to Ask All eBay users to Change Passwords”, which then disappeared rapidly – but obviously not rapidly enough to stop people grabbing and sharing screenshots all over.
Then silence, for a while, followed by a post on eBay’s own blog confirming that there had been a cyberattack which compromised a database containing encrypted passwords and other non-financial data. The post reassured that there was “no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats”.
The post went on to reassure that the compromised database did not contain financial information, although it did contain detailed identifying information about individual account holders and their activities including postal addresses and dates of birth.
The story is continuing to unfold at the time of writing and no official comment has been issued regarding the incomplete and hastily withdrawn blog post – a timely reminder to eBay and all the rest of us that once you publish something online it takes on a life of its own whether you want it to or not, but I guess some employee in the press room was feeling a bit stressed and jumped the gun.
The panic reaction is harder to account for given that the breach appeared to come to light some weeks after it occurred (in February /March), and the company clearly waited then to conduct its own forensic investigations as to the extent of the damage before making it public. Alarmingly the statement said the attack compromised a “small number of employee log-in credentials,” as well, which appears to have been how the attack was discovered, and presumably allowing the hackers unauthorized access to eBay’s corporate network.
So what action should you take? Change your password, now, if you have not already done so. Not used eBay in a while? Get back in there and change your password, or consider closing your account if you no longer require it. EBay insist there has been no compromise on the Paypal database, to which their personal accounts are all linked – and in most cases your Paypal account is linked directly to your bank account or your credit card. Still reading? Go and change your password, then come back!
Use the same password as you do on eBay on any other sites? Go and change them as well, and whilst you are at it why not download a password manager such as Lastpass or 1pass, and sort it all out once and for all? Because the greatest possible risk is hackers throwing that password and email combination at other random sites, which they can do at a speed and scale you will not believe.
We have discussed before the limitations of passwords as the standard global security key, but this is what we are dealing with at the moment until something like iris scan recognition comes built into every device – that could take a while. For now your best defence is a robust strong and unique password for every site you visit, and a gold-standard password manager is the best way to handle this – because the human brain is not capable of storing enough passwords of the required complexity and strength. So the danger is people end up reusing one they are particularly proud of on multiple sites… meaning that if one gets compromised, the rest are wide-open and vulnerable.
Incidentally eBay have been very keen to stress that their investigations have revealed no unauthorized account activity as a result of this breach. But, as I write they are in a rolling process of contacting every one of their users to advise them to change their password (hope that message is loud and clear by now)
I’ve got to say personally I am disappointed with the lack of emphasis on the theft of the contact information. Whilst it’s great that passwords are not deemed to have been compromised on this occasion, changing a password is the work of a moment and then it’s secure again. When it comes to your date of birth or your physical address it’s not so simple, and that information can be used in various ways to damage you via identity theft by people who do that kind of thing, and data assets of this nature change hands in the criminal world for large sums. I feel that not enough has been said about this, maybe because there is not a thing eBay can do about it?
But whatever has happened remember you are not alone, eBay has 145 million active buyers potentially affected by this. It’s a similar scale to when some HMRC employee in the UK left the entire Child Benefit database on a train some years back. Don’t have nightmares – but do manage your passwords sensibly, and be alert to any unusual activity on any online accounts you may operate.
Costa Connected, for Costa Blanca News, May 30th 2014 ©Maya Middlemiss, Casslar Consulting SL