eBay becomes the latest online giant to own up to a password breach

Scammers adopt new eBay logo in short order

ebay logoDo you buy and sell stuff online?

If so, you’ve probably used eBay, which means you can soon expect an email containing bad news.

The online trading megabrand is the latest to suffer a database breach.

Well, to be more precise, eBay is the latest site to admit to a database breach, which apparently happened about three months ago:

eBay Inc. said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data. [...] The database, which was compromised between late February and early March, included eBay customers' name, encrypted password, email address, physical address, phone number and date of birth.

Actually, it’s slightly worse than that, because it seems that the crooks didn’t just prise loose the database file with some kind of database command injection.

eBay offered a very brief and vague explanation of how the attack happened, writing on its site that:

Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said.

It really does say that: the company said on its blog that the company said that crooks had broken in and wandered around.

Advice for eBay PR flacks: when you’re writing your own blog article where you made a security blunder, avoid the temptation to refer to yourself in the third person.

It wasn’t someone else that let the crooks in, it was you, so write in the first person: it sounds so much more as though you mean it.

A followup tweet links across to PayPal, eBay’s payment processing arm, where you will read the comforting news that:

Extensive forensic research has shown no evidence of unauthorized access or compromise to personal or financial information for PayPal customers. PayPal customer and financial data is encrypted and stored separately, and PayPal never shares financial information with merchants, including eBay.

Good stuff.

gallia-170Divide and conquer worked for Julius Caesar, who famously divided his empire in Gaul into three parts in order to be able to control it (OK, to keep it subjugated) more effectively.

Divide and conquer works in computer security, too.

If crooks have to break in to three different places, in three different ways, to be able to stitch together all your corporate data, then their job is tougher.

What to do?

The advice from eBay is to change your password right away, and we concur.

The company isn’t saying how securely it stored your passwords (it just says they were “encrypted,” though it probably means they were salted-and-hashed), so just how safe the stolen password data is against off-line attackers isn’t clear.

And make sure you go for something long and strong, not a dictionary word, a well-known phrase or something easy to guess, like your dog’s name.

It seems a bit sad to say, “Choose a strong password because that way you’ll leave someone else to take the hit,” but it’s true: if you chose your password wisely, other people’s passwords will be cracked first, because the crooks begin with the most likely passwords when they start cracking.

So use the time to get ahead of the password crackers, and update your password now.

And if you used the same password on any other site, change those other passwords, too.


PS. Those of us at NakedSecurity who are eBay users haven’t received our warning emails yet [2014-05-22T09:00Z]. Are you an eBay user? Have you heard from eBay? Let us know in the comments…