eBay Asks 128 Million Customers To Change Their Passwords After Hack

E-commerce giant eBay will be asking all of its estimated 128 million active users to change their passwords, after admitting that hackers were able to steal employee log-in credentials and breach its customer database.

The company said the attackers were able to access customers’ names, email addresses, physical addresses, phone numbers and dates of birth as well as encrypted passwords, but no financial information was compromised. Security experts have criticised eBay for not protecting all of the customer data with encryption, as well as presumably lacking two-factor authentication in internal systems.

“Information security and customer data protection are of paramount importance to eBay Inc., and eBay regrets any inconvenience or concern that this password reset may cause our customers,” it said in a statement.

How?

eBay said that the breach occurred between late February and early March, and the compromised employee log-in details were  noticed two weeks ago. A further investigation led to the identification of the compromised database.

It assured that there was no evidence that the account details were used to authorise any fraudulent transactions. There was also no evidence of hackers accessing the financial information, which was stored in a separate encrypted database.

Knowing that its business is based on customer trust, eBay is understandably angry.

“Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers,” it added.

Later today, the company will start sending out emails to customers, asking them to change their passwords. It also recommends users who use the same password on other sites to change those passwords as well.

“Now that this information has leaked, I am quite surprised that eBay has been so slow to add information to their site to inform users of the situation and guide them through the password reset process,” commented Dwayne Melancon, CTO of security vendor Tripwire. “Customer confidence relies on directive, specific action and information in these scenarios.”

“It appears that the eBay data breach involved securely encrypted passwords, which makes it less likely that users’ eBay accounts will be easily accessed since doing so will require brute force decryption. However, the fact that user email addresses and physical addresses were taken in the breach is more concerning.

“Criminals could use this information to masquerade as eBay customers on other sites, or perhaps use it to ‘social engineer’ their way to users’ other accounts. Unlike the passwords, the other user-specific information was not encrypted and therefore easily reused by attackers.”

“A company needs to assume that all other security measures may fail, and the data itself must be a primary focus for protection – usually via encryption,” added Brendan Rizzo, technical director EMEA at Voltage Security. “It is critical to note that this protection needs to include all potentially sensitive information and not just financial related data.”

Security expert Rik Ferguson has challenged eBay to provide more information on the encryption used, as well as the justification for keeping the customer details unencrypted: “I want details. I want to know which algorithm and how you salted it. I want to know the realistic chances of my password being brute-forced, so I can make an educated assessment of  my level of exposure and offer practical advice to others.”

What do you know about network security? Take our quiz!