Change Your Passwords on These Sites Immediately

The news: Web sales giant eBay has fallen victim to a massive cyber attack that may have compromised as many as — wait for it — 128 million users as far back as three months ago. Leaked information includes passwords and "unprotected" real-world data such as customer names, e-mail addresses, real-world addresses, phone numbers and dates of birth. Users are urged to change their passwords immediately, as well as change any identical passwords on other sites.

Ebay released the following statement:

eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords because of a cyber attack that compromised a database containing encrypted passwords and other non-financial data. After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats ...

Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.

The company said that the compromised employee log-in credentials were first detected about two weeks ago.

How bad is this news? Pretty bad. Hackers are getting better and better at bypassing corporate security systems, and tech experts are increasingly surprised at how lax the safeguards can be in the first place.

According to a new survey from Dashlane, a password management company, many prominent sites that routinely collect consumer data have dangerously lax password requirements.


The study shows 86% of sites which received a “subpar” score of below +50, the study’s minimum requirement for password security. Match.com, Hulu, Overstock, Fab, and Amazon posted the lowest passwords scores.


Image Credit: dashlane.com

What are hackers looking for? The goal may not have been to access compromised accounts or steal money from customers directly. Large databases of personally identifiable information are invaluable on the black market, being of immense value to spammers, criminals and scam artists. Stolen information may even eventually end up in the hands of legitimate companies. A large-scale attack on Target point-of-sale systems distributed 360 million credentials and 1.25 billion email addresses across the black market. OpenSSL's Heartbleed bug, which rendered huge portions of the Internet vulnerable to access by unauthorized parties, similarly exposed consumers to potential theft and fraud. Experts estimate one in 16 Americans have their identity stolen each year, though most never actually have financial data stolen.

Cybersecurity expert Alan Woodward told The Independent that "eBay has some serious questions to answer."

"That this has happed to a big company like eBay results in a collective sigh from everyone involved online security. It just shouldn’t happen."

"I infer from the statement from eBay that what has happened is that a small number of employees with privileged access have fallen prey to something like a phishing attack and inadvertently given away their login credentials."

"However, for something as important as this database, it should take more than just username and password to access it. There should have been two-factor authentication."

Likewise, expert Brendan Rizzo said the most "worrying aspect of this disclosure" was that eBay apparently left consumer info "completely unprotected."

What's it mean for me? As PolicyMic's Eileen Shim has previously noted, "Our data is never really safe."

You should keep up with best practices for security, including varying your usernames, being cautious about how you distribute your email addresses, and limiting how much personal information you actually put on the net. But ultimately, sooner or later your data will almost certainly be compromised, so always review your financial statements for bogus charges or evidence of fraud.

How likely are you to make Mic your go-to news source?

Tom McKay

Tom is a staff writer at Mic, covering national politics, media, policing and the war on drugs. He is based in New York and can be reached at tmckay@mic.com.

MORE FROM

US military officials seek to delay allowing transgender people to enlist

The U.S. military was given until July 1, 2017, to begin allowing transgender people to enlist.

High school senior recreates Beyoncé's 'Lemonade' album cover for his graduation cap

This is a cap that Queen Bey would be proud of.

No, James Comey did not make an incognito visit to the 'New York Times'

Comey was attending a charity event to benefit foster children at another company.

Man charged in Michigan airport stabbing tried unsuccessfully to buy a gun before the attack

Amor Ftouhi, 49, tried and failed to purchase a firearm in the U.S., officials say.

Grenfell Tower Fire: Police say blaze started in a refrigerator

Police say a fridge was the cause of the deadly fire.

North Korea denies mistreatment of US captive Otto Warmbier

The country claimed Warmbier's death was a "mystery."

US military officials seek to delay allowing transgender people to enlist

The U.S. military was given until July 1, 2017, to begin allowing transgender people to enlist.

High school senior recreates Beyoncé's 'Lemonade' album cover for his graduation cap

This is a cap that Queen Bey would be proud of.

No, James Comey did not make an incognito visit to the 'New York Times'

Comey was attending a charity event to benefit foster children at another company.

Man charged in Michigan airport stabbing tried unsuccessfully to buy a gun before the attack

Amor Ftouhi, 49, tried and failed to purchase a firearm in the U.S., officials say.

Grenfell Tower Fire: Police say blaze started in a refrigerator

Police say a fridge was the cause of the deadly fire.

North Korea denies mistreatment of US captive Otto Warmbier

The country claimed Warmbier's death was a "mystery."