Sophos Cloud Optix
Do you buy and sell stuff online?
If so, you’ve probably used eBay, which means you can soon expect an email containing bad news.
The online trading megabrand is the latest to suffer a database breach.
Well, to be more precise, eBay is the latest site to admit to a database breach, which apparently happened about three months ago:
eBay Inc. said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data. [...] The database, which was compromised between late February and early March, included eBay customers' name, encrypted password, email address, physical address, phone number and date of birth.
Actually, it’s slightly worse than that, because it seems that the crooks didn’t just prise loose the database file with some kind of database command injection.
eBay offered a very brief and vague explanation of how the attack happened, writing on its site that:
Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said.
It really does say that: the company said on its blog that the company said that crooks had broken in and wandered around.
Advice for eBay PR flacks: when you’re writing your own blog article where you made a security blunder, avoid the temptation to refer to yourself in the third person.
It wasn’t someone else that let the crooks in, it was you, so write in the first person: it sounds so much more as though you mean it.
A followup tweet links across to PayPal, eBay’s payment processing arm, where you will read the comforting news that:
Extensive forensic research has shown no evidence of unauthorized access or compromise to personal or financial information for PayPal customers. PayPal customer and financial data is encrypted and stored separately, and PayPal never shares financial information with merchants, including eBay.
Good stuff.
Divide and conquer worked for Julius Caesar, who famously divided his empire in Gaul into three parts in order to be able to control it (OK, to keep it subjugated) more effectively.
Divide and conquer works in computer security, too.
If crooks have to break in to three different places, in three different ways, to be able to stitch together all your corporate data, then their job is tougher.
What to do?
The advice from eBay is to change your password right away, and we concur.
The company isn’t saying how securely it stored your passwords (it just says they were “encrypted,” though it probably means they were salted-and-hashed), so just how safe the stolen password data is against off-line attackers isn’t clear.
And make sure you go for something long and strong, not a dictionary word, a well-known phrase or something easy to guess, like your dog’s name.
It seems a bit sad to say, “Choose a strong password because that way you’ll leave someone else to take the hit,” but it’s true: if you chose your password wisely, other people’s passwords will be cracked first, because the crooks begin with the most likely passwords when they start cracking.
So use the time to get ahead of the password crackers, and update your password now.
And if you used the same password on any other site, change those other passwords, too.
BUT YOU DIDN’T DO THAT, DID YOU?
PS. Those of us at NakedSecurity who are eBay users haven’t received our warning emails yet [2014-05-22T09:00Z]. Are you an eBay user? Have you heard from eBay? Let us know in the comments…
eBay does not make it easy to find how to change your password! After you log in, look for the little triangle-arrow next to your name in the upper left corner. Select Account Settings from the drop-down menu. Then click on Business Information at the top of the left sidebar. “Password” will be on the list that appears. Click the pencil icon next to it. SHEESH that took way too long to find.
I changed my eBay password this morning. Then I tried to log out. Maybe my eyesight is failing, but I couldn’t find a logout button or link. Is there one? Or does eBay expect us to logout by closing the browser.
The “Sign out” link is also in the drop-down (little triangle) next to your name in the upper-left corner. I’m sure some designer found that intuitive.
They KNEW about this for 3 MONTHS before alerting their users? I just checked and the alert they sent out only just today,makes it sound like they just found out. This makes me angry! Companies need to alert their customers RIGHT AWAY when something like this happens.
I hear you.
Reading between the lines (and that’s another problem with many breach notices – they leave you to do just that), it sounds as though:
1. They were breached back then, but took three months (minus a couple of weeks) to *realise*.
2. After realising, it took a couple of weeks to work out what actually (or probably) happened with any sort of certainty.
I think that being breached, knowing, and not telling would be morally worse that being breached and not realising. But in practical security terms, being breached and not realising is worse, because you can’t even take secret/silent precautions if you don’t even know.
I think a couple of weeks is a reasonable “quiet period” if you really were caught unawares…time to close holes before letting everyone know, including other crooks, time to get law enforcement involved, and more.
Thank you for the heads up, Sophos.
Haven’t seen any mention yet anywhere about whether security question and answers were divulged and/or encrypted. That’s almost worse these days, as I think many people use the same question/answer combos. (I might…and I hate the situation of it…)
Now I cannot access my eBay page unless I change my password. When I try to do that I get a message that says “Unable to process request at this time.” Oy.
Oh dear. More clarity in words, eh 🙂 Why do writers come up with terminology like “at this time”? Doesn’t the use of the present tense automatically signal that, well, they’re talking about “now”?
What they mean is “unable to process your request.” If it is likely to work later, e.g. because of heavy load right now, why not say so and be helpful rather than merely pleonastic?
(It’s like the words “going forward” in respect of time. If you find out how to make it go backwards, *then* you can say something about its direction 🙂
i’ve tried 6 times to change my password, no success, fill in first line get ‘strong’ try to confirm get ‘no white spaces allowed’ about to give up. I’m very angry that my details could have been hacked!
Same thing happened to me. I’m just deleting the account…
I have two separate eBay accounts (for different purposes), so I had to change two passwords. In both cases, the browser displayed the following message:
“Sorry! We’re currently experiencing technical difficulties and are unable to complete the process at this time”
In both cases, shortly thereafter I received an email message confirming that my password had been successfully changed. The email was correct. I tried logging in to both accounts with the new passwords and it worked.
The fact that so much personal information was potentially exposed to ne’er-do-wells is already bad enough. The display of the bogus “technical difficulties” message doesn’t help.
I suppose that if there are, what, 145,000,000 accounts affected, as I think I read somewhere, there are a lot of people using the password change feature at the same. And the backend to that probably isn’t part of a huge CDN (content delivery network), cached and distributed around the globe…for security reasons, and because, usually, only a small number of people are changing their passwords at any time.
Sort of like how in many countries, renewing a still-valid passport is fairly easy but replacing a lost or stolen one requires a fair bit of queuing because it’s a more unusual sort of request with bigger security implications.
I had the same experience Vito, but I thought mine was related to using LastPass to generate the password. Good to know it wasn’t LastPass-related.
I changed my password for ebay when the heartbleed bug hit. should i change it again, seeing this happened maybe 2 or 3 months before heartbleed?
Hmmmmm. Good question 🙂
I guess you don’t need to, since (as you say) you changed it after the hack.
But I guess you ought to, since eBay didn’t notice the hack until after you changed your password. Who knows but that the hackers came back after their first known sortie?
So…why not just change it again. You’re allowed to mutter under your breath as you do so.
Better safe than sorry. Thats what I go by 🙂
‘Encrypted Passwords’ have been compromised, but what about users’ ‘Secret question’?
Does that come under ‘other non-financial data’?
Couldn’t the attacker use a compromised secret question to gain access to account? Or even use the secret question answer on another site?
People are starting to learn to use a different password on every side, but password reset secret questions are another matter.
Got my message Tuesday am (UK)
How can a company like eBay restrict the password length to 20 characters – what sort of ridiculous stupidity is that! The change password form doesn’t explicitly say that but the field has a maxlength of 20. How can they seriously expect people to believe that they take our security seriously when we can’t use long passwords – added to which does that mean they are using encryption as opposed to hashes like Adobe all over again?
Not only do they have a max length of 20, they also can’t include spaces (and I’m not sure what else). And it appears that all you have to do to claim an ebay account is have access to the email address that created the account (you can enter in the address for “forgot password” and then use the delivered link to create a new password — no secret question etc. needed).
So if your email account is ever compromised, make sure you check that among other things, the attacker hasn’t used your email account to gain control of your ebay account.
Assuming we all changed them already after Heartbleed, didn’t this break in pre-date that? Why change it again?
See @Sean’s earlier comment on that very topic.
The Heartbleed fix seems to be _after_ this attack started but _before_ it was discovered and (we assume) the hole closed off. If you have formed the opinion that the crooks definitely didn’t come back into eBay’s network after their first infiltration (but before they were locked out for sure), then…I guess it isn’t necessary to change your password again.
“And make sure you go for something long and strong, not a dictionary word, a well-known phrase or something easy to guess, like your dog’s name.”
Even if someone were clueless/lazy enough to want to do that, he couldn’t.
eBay requires that a password contain at least one upper-case letter, one lower-case letter, one number and one symbol/punctuation character.
This has become something of a standard with sites that deal with financial transactions.
(I used to use “incorrect” as my universal password. That way, if I spaced out and entered the wrong password, the site would tell me, “Your password is incorrect.”)
Well, you need to consider “R0ver!” (which meets the rules) as pretty much equivalent to “rover” (which is a short dog’s name you can find in a dictionary :-), because password crackers apply that sort of leet-speak subsitution as matter of course.
Two tricks can be used to help (sticking with your obviously not secure 6 character as a model):
First, capitalize a letter other than the first. “r0Ver!”.
The other is to use 2 digits, and shift one of them: “r0v3r!” becomes “r0v#r!”.
Couple both tricks with a longer set of words (separated by a special character, yet another trick):
e.g. “thunder-bradley” becomes “tHund3r-bR@dl#y”. Moderately easy to remember, difficult to crack (as long as your name isn’t Brad).
Another unrelated trick: Start the passphrase words with a digit. “9R0ver!”. My example above might become “2tHund3r-5bR@dl#y”.
Nothing is uncrackable, folks. But, the bad guys aim for the low-hanging fruit. So, my goal is to make MY passphrases secure enough that the bad guys pick on someone else.
As a matter of fact, they’re not that strict – Although it states passwords should contain those various types of characters, it still lets you create weaker ones. My new password created this morning has no upper case characters … but it does have lowercase, symbols and numbers.
As of this morning (May 22), I have still not received a notice from Ebay or Paypal asking me to change my passwords. I did so on my own accord after reading about it in the news yesterday. I was also the first one to alert my friends and family about it because they dont usually read the news everyday.
I spoke with eBay this morning, and after my gentle rant received this reply a couple hours later:
eBay sent this message to [unameRedacted]. Your registered name is included to show this message came from eBay.
Learn more about how to tell if an email is really from eBay:
–pages.ebay.com/help/account/recognizing-spoof.html
_____________________________________________
Dear [unameRedacted],
Thank you for calling in today. We appreciate you being an active member of our community. I was able to receive some information on your question about passwords and if they were hashed. Here is that information:
Q: What encryption techniques do you use ?
A: We store encrypted passwords that have been hashed and salted. We have no evidence that the encryption on passwords has been broken and we have seen no spike in fraudulent activity on the site.
I hope this helps answer your question.
Sincerely,Trudy S.
eBay
eBay Document ID: 9703059009
_____________________________________________
Presuming Trudy knows from whence she speaks, eBay seems to be doing the credential storage thing properly.
So, the passwords are hashed, then salted, then encrypted? (In that order?)
You think they’d have got someone technical to write, in simple, clear technical English, just what password storage they use. For example, “We use PBKDF2 with a 16-byte random salt, 16000 iterations and a hash of HMAC-with-SHA256.” If you aren’t a techie you can ignore the detail; if you are, you really want/need to know.
Are the passwords encrypted, or are they hashed, or both?
A little clarity goes a long way.
Hi Paul,
Didn’t receive any notification from eBay about this breach. So I’m glad of being a subscriber of Naked Security. Just changed it. Thanks for spreading the word.
I just love this newsletter. Thanks for the heads-up.
I have not been contacted but I thought I would change my password anyway. So I loaded up KeyPass, generated a shiny, brand new password and then found that I could no longer copy and paste it into the New Password entry field. Evidently eBay and PayPal have made this change to improve user security (?).
This was the password (now junked of course) +4+¹âfêGL¡µÒùIrbúfúi×2E. So can anyone please tell me how I enter that from the keyboard and secondly, how does this improve user security?
My guess is that non-7-bit ascii characters are not accepted by eBay; they definitely don’t accept spaces. As for entering that from the keyboard, there are a few techniques. First is that there is software that will “paste” your clipboard by typing it. Second: if you’re on Windows, you can use alt-keypad combinations to enter each character’s code. If you’re on a Mac, you can use the character picker to click the characters you want to use. On KDE and Gnome you can use the Character Map tool.
Thank you Andrew. Strangely I did receive an email from eBay and when I followe dthe link I was able to do a copy and paste. Maybe they got the message. I had forgotten about the Alt-codes. Takes me back to creating forms in Superwrite and Supercalc so, so long ago.
I didn’t receive a notification but changed it after reading your email. I heard about it on the tv news but wanted a little more detail first.
Thanks!
Received my ebay notification yesterday 2014-05-25.
Haven’t received my notification yet as of 2014-05-28.
Called ebay to change password and they wanted my aol acoount which I haven’t used in 15 years..ugh.. Of course I don’t remember it, but they said they couldn’t help without it.. I don’t want to create a new account!!! Any suggestions? ??
I cant not believe they have not resolved this issues after a few months. i can not login, i can not reset my password, i just can not access ebay in any shape or form. They must be loosing tons of money. I guess ill have to shop elsewhere from now on. 🙁