The news: Web sales giant eBay has fallen victim to a massive cyber attack that may have compromised as many as — wait for it — 128 million users as far back as three months ago. Leaked information includes passwords and "unprotected" real-world data such as customer names, e-mail addresses, real-world addresses, phone numbers and dates of birth. Users are urged to change their passwords immediately, as well as change any identical passwords on other sites.
Ebay released the following statement:
eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords because of a cyber attack that compromised a database containing encrypted passwords and other non-financial data. After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats ...
Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.
The company said that the compromised employee log-in credentials were first detected about two weeks ago.
How bad is this news? Pretty bad. Hackers are getting better and better at bypassing corporate security systems, and tech experts are increasingly surprised at how lax the safeguards can be in the first place.
According to a new survey from Dashlane, a password management company, many prominent sites that routinely collect consumer data have dangerously lax password requirements.
The study shows 86% of sites which received a “subpar” score of below +50, the study’s minimum requirement for password security. Match.com, Hulu, Overstock, Fab, and Amazon posted the lowest passwords scores.
Image Credit: dashlane.com
What are hackers looking for? The goal may not have been to access compromised accounts or steal money from customers directly. Large databases of personally identifiable information are invaluable on the black market, being of immense value to spammers, criminals and scam artists. Stolen information may even eventually end up in the hands of legitimate companies. A large-scale attack on Target point-of-sale systems distributed 360 million credentials and 1.25 billion email addresses across the black market. OpenSSL's Heartbleed bug, which rendered huge portions of the Internet vulnerable to access by unauthorized parties, similarly exposed consumers to potential theft and fraud. Experts estimate one in 16 Americans have their identity stolen each year, though most never actually have financial data stolen.
Cybersecurity expert Alan Woodward told The Independent that "eBay has some serious questions to answer."
"That this has happed to a big company like eBay results in a collective sigh from everyone involved online security. It just shouldn’t happen."
"I infer from the statement from eBay that what has happened is that a small number of employees with privileged access have fallen prey to something like a phishing attack and inadvertently given away their login credentials."
"However, for something as important as this database, it should take more than just username and password to access it. There should have been two-factor authentication."
Likewise, expert Brendan Rizzo said the most "worrying aspect of this disclosure" was that eBay apparently left consumer info "completely unprotected."
What's it mean for me? As PolicyMic's Eileen Shim has previously noted, "Our data is never really safe."
You should keep up with best practices for security, including varying your usernames, being cautious about how you distribute your email addresses, and limiting how much personal information you actually put on the net. But ultimately, sooner or later your data will almost certainly be compromised, so always review your financial statements for bogus charges or evidence of fraud.