eBay Breach: Password Reset Issues

There are 145 million people affected by the security breach from the Internet giant eBay.

Dumping the Data

When a catastrophic event happens, cyber-criminals come out from the shadows and lurk on their pray…YOU!

It has been stated that  eBay’s database and is on the market and priced for 1.45 bitcoin.

The claimed offer is for sale via anonymous text file site Pastebin.

It is likely that the data is not from the recent eBay data breach but possibly from another source.

The hacker provided a 3,000-row extract from a database with Asian-Pacific user names, addresses, phone numbers and their DOB.  This equals to about 145 million users.

The users are shown in the sample would represent an odd subset of users for an international company like eBay.

Even if the sample is not from the eBay breach, it could potentially be data from another major company’s leak.

Or it could be fake, and just another cyber-criminal trading for bitcoin on the blackmarket.

Did you receive a notice?

Many reports from worried eBay users says eBay has not yet sent them an email about the issue.  There is no notification when you go to eBay.com or any kind of warning about the breach.

There was a notification after the user tries to reset their password which urges users to create a new one.





It is common for websites to put a banner or notification on their site after a breach.  Notifications urging their users to change passwords, even when the theft is only of encrypted (and properly salted and hashed) passwords.

The reason why eBay hasn’t done the same, is a mystery…

 

Beef up the password

If you haven’t already done so, create a strong, unique password for your account.
Make sure you can remember it but nobody else will be able to guess it.

eBay unlike many others, allows short 6 character passwords.  The suggested amount of characters is at least 8.

eBay does require a mix of characters with upper, lower, number and a symbol.  Try and use a combination of them all.

The following passwords are rated as “medium” allowing users to use these as passwords:

• Password1
• MyH0us3
• Iloveyou!
• !2345@

You see how these passwords still have a combination of characters and numbers, although they are still quite easy to guess.

This is why it is so important to create a strong, secure password at least 8 characters long.

De-link PayPal

Since eBay owns PayPal, they suggest users to link their PayPal account to their eBay account.

Since the breach, if you have followed their suggestion, you may want to rethink your choice.

If you un-link PayPal from eBay account, you can still pay with your PayPal account at any time.

Linked accounts provide cyber-criminals with an easy way to gather a variety of data.

Anytime a step is removed from the process of logging in as a user, you remove a step of security against criminals gaining access to your information.

It took eBay two months to discover the hack because there was no sign of “unusual activity” detected.  eBay has not confirmed if the data stolen was private information or not.

Security experts have criticized the company for not encrypting all private customer information obtained.
eBay is aggressively investigating the intrusion with police enforcement but has no evidence that user accounts have been tampered with.

What do you think about this data breach?  Please leave your comments below, we would love to hear from you!

Be sure to follow us on Twitter at @hyphenet or “Like” us on Facebook to stay up-to-date on the latest computer security threats.

References:
Myers, Lysa
ESET
eBay breach news: Posted data dump not valid, password reset issues
http://www.welivesecurity.com/2014/05/22/ebay-breach-news-posted-data-dump…
Published: May 22, 2014

Gibbs, Samuel
TheGuardian
Ebay denies ‘stolen database’ on sale for 1.45 bitcoin is authentic
http://www.theguardian.com/technology/2014/may/22/ebay-denies-stolen-database-on-sale…
Published: May 22, 2014

Is Password Protection not a Big Deal to You?

Last year was a big year concerning password protection.  We saw Target and Adobe get hacked, a slue of malware on the internet, phishing scams all over social media sites and even our own personal emails filled with spam.

If password protection is still not a big deal to you, then you should think again.

You would think after seeing major corporations hacked and personal security being compromised, we would take more time creating passwords that aren’t so simple to crack.

The most commonly stolen passwords are still “123456″ and “password”.  This doesn’t only mean “123456″ and “password” is the easiest for cybercriminals to guess, but those are the most common passwords used by people!

“123456” is finally getting some time in the spotlight as the world’s worst password, after spending years in the shadow of “password.” – Splashdata Security Firm

Weaker passwords are much more susceptible to brute-force attacks.  Hackers first off attempt to access accounts through rapid guessing.





Even though common words and phrases are easier to remember, they are also easier for hackers to determine.  Some people tend to replace similar looking words with letters (like “3″ instead of “E”, or “0″ instead of “O”).  Although, it is good to put a variation of characters into your password, this is still not an effective strategy, at least for sensitive accounts.

There are many password management programs that can you can extremely benefit from.  Try LastPass, KeePass or SplashID.


These programs will maintain all your accounts and all you have to do is remember one master password.
Here is a full list of the worst passwords in 2013:

1. 123456
2. password
3. 12345678
4. qwerty
5. abc123
6. 123456789
7. 111111
8. 1234567
9. iloveyou
10. adobe123
11. 123123
12. admin
13. 1234567890
14. letmein
15. photoshop
16. 1234
17. monkey
18. shadow
19. sunshine
20. 12345
21. password1
22. princess
23. azerty
24. trustno1
25. 000000

If you have an account with any of these passwords, consider it a major fail.  Please change your password immediately.

As more people are doing their banking, bill paying, and buying items online, this problem is only getting worse.

How secure is your password protection?  Tell us what you think in the comment section below!

References:

The 25 worst passwords of 2013: ‘password’ gets dethroned – PC World
http://www.pcworld.com/article/2089244/the-25-worst-passwords-of-2013-password…

’123456′ assumes the ‘worst password of 2013′ throne – Fox News
http://www.foxnews.com/tech/2014/01/21/worst-password-2013-named/

Facebook requires you change your password if it is the same as your Adobe password.

We’ve recently heard of the massive breach at Adobe.  38 million users private data information was leaked, now Facebook is requiring you to change your password if it is the same as the one you used on your Adobe account.

Users who have the same combination of email and passwords for the accounts are being automatically locked out of their Facebook accounts.  There are several questions being asked before access is granted.  Then users will create a new password for safety measures.

Facebook users may be greeted with “Someone May Have Accessed Your Account”.

Although, Facebook has not be directly affected, they want to make sure your account isn’t at risk since hackers often use your email and password to access multiple accounts.

Unfortunately, many people use the same password for all their accounts, which is a major security risk.
For tips on how to create a safe and secure password, go to our recent blog post.

Facebook hasn’t revealed how many of their users were affected  but password information is publicly available on the internet via several password “dumps”.

Adobe has confirmed around 38 million active users may have had an ID or encrypted passwords accessed by unknown attackers in a breach earlier in the year.

Three million users are estimated to have their data accessed, but the attackers appeared to only want the source code for Adobe’s Acrobat software.

Half a million craftier customers chose “123456789”, according to a report by The Register, quoting researcher Jeremi Gosni, a self-styled “password security expert” who found the passwords in a dump online.

Always create a new password for each individual account.  Once some gets a hold of one of your passwords, they can access your whole life if they wanted to.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

References:

Facebook helps out users who used same password on Adobe – by blocking them – We Live Security
http://www.welivesecurity.com/2013/11/13/facebook-helps-out-users-who-used-same-password-on-adobe-by-blocking-them/

Evernote Hacked, Resets 50 Million Account Passwords

Evernote users were instructed to create a new password following the discovery of a security breach on Saturday.

Evernote says that they were able to detect and block what appears to have been a “coordinated attempt to access secure areas of the Evernote Service.”

There is no indication that content stored in Evernote, or payment information for Premium or Business accounts were accessed; however, the company says that the hackers were able to access the usernames, encrypted passwords & email addresses of Evernote users, prompting the reset of all account passwords as a security measure.

Users can create a new password by signing into their account on evernote.com. Passwords will need to be updated in Evernote apps after it has been changed on evernote.com.

Evernote has offered the following advice to users to help keep their accounts safe:

• Avoid using simple passwords based on dictionary words


• Never use the same password on multiple sites or services


• Never click on ‘reset password’ requests in emails — instead go directly to the service

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+