Thursday, May 29, 2014

eBay Breach: Password Reset Issues

There are 145 million people affected by the security breach from the Internet giant eBay.

Dumping the Data

EbayHackPasswordChange
When a catastrophic event happens, cyber-criminals come out from the shadows and lurk on their pray…YOU!

It has been stated that  eBay’s database and is on the market and priced for 1.45 bitcoin.

The claimed offer is for sale via anonymous text file site Pastebin.

It is likely that the data is not from the recent eBay data breach but possibly from another source.

The hacker provided a 3,000-row extract from a database with Asian-Pacific user names, addresses, phone numbers and their DOB.  This equals to about 145 million users.

The users are shown in the sample would represent an odd subset of users for an international company like eBay.

Even if the sample is not from the eBay breach, it could potentially be data from another major company’s leak.

Or it could be fake, and just another cyber-criminal trading for bitcoin on the blackmarket.

Did you receive a notice?

Many reports from worried eBay users says eBay has not yet sent them an email about the issue.  There is no notification when you go to eBay.com or any kind of warning about the breach.

There was a notification after the user tries to reset their password which urges users to create a new one.


ebay-password


It is common for websites to put a banner or notification on their site after a breach.  Notifications urging their users to change passwords, even when the theft is only of encrypted (and properly salted and hashed) passwords.

The reason why eBay hasn’t done the same, is a mystery…

 

Beef up the password

If you haven’t already done so, create a strong, unique password for your account.
Make sure you can remember it but nobody else will be able to guess it.

eBay unlike many others, allows short 6 character passwords.  The suggested amount of characters is at least 8.

eBay does require a mix of characters with upper, lower, number and a symbol.  Try and use a combination of them all.

The following passwords are rated as “medium” allowing users to use these as passwords:
  • Password1
  • MyH0us3
  • Iloveyou!
  • !2345@
You see how these passwords still have a combination of characters and numbers, although they are still quite easy to guess.

This is why it is so important to create a strong, secure password at least 8 characters long.

De-link PayPal

Since eBay owns PayPal, they suggest users to link their PayPal account to their eBay account.

Since the breach, if you have followed their suggestion, you may want to rethink your choice.

If you un-link PayPal from eBay account, you can still pay with your PayPal account at any time.

Linked accounts provide cyber-criminals with an easy way to gather a variety of data.

Anytime a step is removed from the process of logging in as a user, you remove a step of security against criminals gaining access to your information.

It took eBay two months to discover the hack because there was no sign of “unusual activity” detected.  eBay has not confirmed if the data stolen was private information or not.

Security experts have criticized the company for not encrypting all private customer information obtained.
eBay is aggressively investigating the intrusion with police enforcement but has no evidence that user accounts have been tampered with.

What do you think about this data breach?  Please leave your comments below, we would love to hear from you!

Be sure to follow us on Twitter at @hyphenet or “Like” us on Facebook to stay up-to-date on the latest computer security threats.

References:
Myers, Lysa
ESET
eBay breach news: Posted data dump not valid, password reset issues
http://www.welivesecurity.com/2014/05/22/ebay-breach-news-posted-data-dump…
Published: May 22, 2014

Gibbs, Samuel
TheGuardian
Ebay denies ‘stolen database’ on sale for 1.45 bitcoin is authentic
http://www.theguardian.com/technology/2014/may/22/ebay-denies-stolen-database-on-sale…
Published: May 22, 2014

No comments:

Post a Comment