On Wednesday, eBay issued an advisory to users stating that passwords will need to be changed, after a database containing user information was compromised. When a company this large reports a security incident, it has the tendency to turn into a FUD-fueled news cycle.
In the event that people within your organization have questions, here's an overview of the incident, with some additional details you can use when discussing the situation.
How did this happen?
According to eBay, attackers compromised employee log-in credentials. This gave the attackers access to the corporate network and the systems on it.
As is the case with most attacks that result in credential theft, the attackers likely used a socially-based attack of some kind. The best bet is Phishing. However, eBay isn't discussing how the credentials were compromised, so it could be Phishing, or it could be malware. The public may never know.
When did this happen?
eBay says that the credential theft and database access occurred in late February and early March. The reason eBay didn't tell anyone before now, is because the company didn't know they had a problem. The unauthorized access was only recently discovered (early May). The time between discovery and disclosure is rather short, which is a good thing.
Is there still a problem?
No. eBay thinks that the issue is resolved. They've closed off the unauthorized access and added additional measures of protection. However, the company didn't explain what those measures were exactly.
What information was compromised?
The only thing actually compromised were the credentials used by eBay staff. However, because the attackers were able to access the user database, eBay is assuming the worst has happened. Thus, this compromise could impact more than 145 million people.
The database that eBay is talking about contained the following:
- Customer Name (First and Last)
- Encrypted Password*
- Email Address
- Physical Address
- Phone Number
- Date of Birth
* eBay says that the passwords were encrypted, but they didn't explain how. It is also possible that they are confusing terms, and that the passwords were salted and hashed. Either way, it's likely the company was storing the passwords safely.
Update: eBay has stated that the passwords were salted and hashed, but refused to comment on the algorithm, stating "[we] can't comment any further on our encryption."
There was no financial information stored in the compromised database. None.
What about personal information, was that encrypted?
No, according to eBay, it was not. The company only says that the passwords were encrypted, and they make no effort to suggest any of the other compromised data equally secured.
Thus, aside from the passwords, the attackers could've gotten access to everything else. Personal information is used for many security functions, including account access and management.
"Many sites can be easily tricked into resetting passwords - requiring a minimum of personal information to do so. The non-encrypted personal data that was stolen from eBay could potentially enable users’ credentials to become compromised on a wide array of other sites through this kind of social engineering technique." - Paul Lipman, CEO, iSheriff
What about PayPal?
eBay says that the compromised data isn't related to the PayPal, as such information resides on two different systems.
However, many people share passwords between the accounts, so it's wise to change your eBay password and your PayPal password to something completely different. It's also a good habit to use a password manager in order to generate secure, individual passwords for each account.
Popular password managers include KeePass, LastPass, and 1Password.
Again, eBay has stated that no financial data was exposed during this incident; this includes PayPal information.
What about Phishing?
There is a high risk of Phishing attacks related to the eBay compromise. The best way to avoid this is to access eBay directly, and reset you password on the website.
Once eBay has their notification system in place, when you access the website, you'll be prompted to reset your password by the website. Before that system is live however, resets will need to be done manually.
eBay will be sending email notifications, but the safest course of action is to visit eBay's website directly to reset your password.
There has been an uptick in PayPal related Phishing in the last 24-hours (21-May-2014), which at this time appears to be unrelated to the eBay announcement. However, it is likely that criminals could change tactics.
According to AppRiver, a company that focuses on email threats, there have been some 60,000 Phishing emails delivered in the latest campaign. Wednesday's spike equates to a 140 percent jump compared to volumes earlier in the week.
"There is no evidence yet to suggest that they were directly related to the breach, however the increase in output could be related," AppRiver's Troy Gill said in an email.
"When major news like this breaks, it opens the door for eBay or PayPal Phishing campaigns to be more effective since the general public is familiar with the situation and may not realize they're being duped."