Megabrand eBay has fallen to the hackers - do the world’s most powerful brands know what they’re doing?
Yesterday eBay set in motion what must be the largest password reset in Internet history after asking its entire user base of 230 million users to change their logins to beat yet another severe data breach.
We can recount the bare facts because, so far, there aren’t many. As has been the case in many other high-profile data breaches, the precise number affected by the compromise has not been revealed, which makes the reset for all users sound like a simple precaution. It isn’t.
According to an announcement, sometime between February and March this year the attackers got their hands on the login credentials of a small number of employees, gaining access to a database containing customer names, home and email addresses, phone numbers, and dates of birth.
Encrypted passwords were also part of the breach but no financial information was lost from eBay or PayPal accounts, the latter being stored on a separate network, the firm said triumphantly as if that is the only worry.
The credential compromise and hack was not discovered until a fortnight ago since when eBay conducted forensics to reveal the seriousness of the attack, it said.
“The company said it has seen no indication of increased fraudulent account activity on eBay,” eBay insisted. Users were being asked to change their passwords from later Wednesday 21 May and to consider changing them on other sites if the same password had been re-used."
Of course, if the attack happened in February or March, it’s long past the point where a reset of those services will stop possible secondary compromises; eBay users will have been exposed for nearly two months.
The firm is only the latest in an exhausting line of firms to suffer serious data breaches, which raises larger issues about the ability of Internet firms to look after the data of their customers. Nobody seems to have an answer.
"This appears to be more serious than a mere password smash-and-grab. Rather, it seems eBay customers’ names, encrypted passwords, email addresses, physical addresses, ‘phone numbers and dates of birth were stolen,” commented Toyin Adelakun, of authentication firm Sestus.
“Passwords can and must be reset - especially if they’re reused elsewhere - but the other personal data cannot easily be reset.”
This is the troubling issue with large data breaches. Once certain personal data is stolen, it’s stolen for good because, at present, the industry focuses only on encrypting financial rather than personal data. Arguably, if anything, it should be the other way around but the encryption of financial data is as much to protect the system as its users.
The type and quality of encryption used by eBay is not known and may never be revealed.
“The more worrying aspect of this disclosure is that it appears that the other personally identifiable information was left completely unprotected. This information would give the attackers almost all of the information they need to undertake fraudulent activity on a compromised user's behalf,” agreed Brendan Rizzo, technical director EMEA of encryption firm, Voltage Security.
The scale of eBay hack makes what happened recently to UK site Mumsnet look tame - that compromise affected only 1.5 million active users. But in truth we’ve been here so many times before in different guises in different sectors a pattern is emerging; none of them can defend their customers.
The damage done by this goes far beyond one company and its users. The people who stole an unknown amount of user data from eBay know their names, addresses, dates of birth and phone numbers. If tens of millions of partial identities are out there that is a disaster that will live long after the headlines have faded. Every time an incident happens the long-term cost of the breach era rises for ordinary people.
Posted by John Dunn
Find your next job with computerworld UK jobs