Feeds

EBay, you keep using the word 'SECURITY'. I do not think it means what you think it means

Change your passwords – tat bazaar ransacked by hackers

Secure remote control for conventional and virtual desktops

eBay‬ has told people to change their passwords for the online tat bazaar after its customer database was compromised.

Names, dates of birth, phone numbers, physical addresses, email addresses, and "encrypted" passwords, were copied from servers by attackers, we're told. Credit card numbers and other financial records were not touched, and are stored separately, eBay claims. The website has hundreds of millions of user accounts.

Hackers accessed the database between late February and early March after obtaining a few employees' login credentials, and then infiltrated the corporate network.

The digital break-in of staff accounts was detected about two weeks ago, and sparked a computer-forensics probe that is still ongoing. The website's investigators today revealed a database containing customer information was accessed by the hackers.

eBay reckons everyone should change their passwords as a precaution – but it hasn't uncovered any evidence of fraud linked to the breach, it claims. One assumes eBay's techies have closed the hole the attackers exploited to infiltrate its systems, and has cleared its systems of the miscreants.

In a statement, the company added:

After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.

eBay's handling of the breach notification has already created a fair bit of confusion: eBay-owned PayPal published then deleted an alert instructing users to change up their passwords this morning.

The brief item on PayPal's site, which included the line "place holder text", was pulled before the security breach was confirmed soon after in a press release. The warning was eventually restored, although PayPal is not affected by the eBay hack.

Exactly how the tat bazaar's passwords were “encrypted", and how the company was infiltrated, remain unexplained. Rik Ferguson, veep of security research at Trend Micro, poses these and other questions in a blog post here.

The exposure of encrypted passwords is bad news because it's now easy to create convincing phishing emails urging people to change their eBay passwords – although said scam emails will instead take victims to a site masquerading as eBay.com to swipe their details.

Weak passwords could also be easily cracked if the website's hashing algorithm isn't up to scratch, and woe betide anyone using the same crap password across multiple sites with the same email address. The habit of many users of using the same password on multiple sites makes this type of attack all too possible.

And the leaking of phone numbers, dates of birth, names and addresses puts many at risk of identity theft by fraudsters. The personal information could also be used to make phishing emails appear more convincing.

"Clearly eBay is concerned that the passwords in the compromised database – albeit encrypted – could easily be decrypted and fall into the hands of malicious attackers," said infosec industry veteran Graham Cluely in a blog post.

"Of course, if you are changing your eBay password ensure that you choose a strong, hard-to-crack password, and not the same password as one you are using anywhere else on the internet," he added. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.