Feeds

EBay, you keep using the word 'SECURITY'. I do not think it means what you think it means

Change your passwords – tat bazaar ransacked by hackers

Top 5 reasons to deploy VMware with Tegile

eBay‬ has told people to change their passwords for the online tat bazaar after its customer database was compromised.

Names, dates of birth, phone numbers, physical addresses, email addresses, and "encrypted" passwords, were copied from servers by attackers, we're told. Credit card numbers and other financial records were not touched, and are stored separately, eBay claims. The website has hundreds of millions of user accounts.

Hackers accessed the database between late February and early March after obtaining a few employees' login credentials, and then infiltrated the corporate network.

The digital break-in of staff accounts was detected about two weeks ago, and sparked a computer-forensics probe that is still ongoing. The website's investigators today revealed a database containing customer information was accessed by the hackers.

eBay reckons everyone should change their passwords as a precaution – but it hasn't uncovered any evidence of fraud linked to the breach, it claims. One assumes eBay's techies have closed the hole the attackers exploited to infiltrate its systems, and has cleared its systems of the miscreants.

In a statement, the company added:

After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.

eBay's handling of the breach notification has already created a fair bit of confusion: eBay-owned PayPal published then deleted an alert instructing users to change up their passwords this morning.

The brief item on PayPal's site, which included the line "place holder text", was pulled before the security breach was confirmed soon after in a press release. The warning was eventually restored, although PayPal is not affected by the eBay hack.

Exactly how the tat bazaar's passwords were “encrypted", and how the company was infiltrated, remain unexplained. Rik Ferguson, veep of security research at Trend Micro, poses these and other questions in a blog post here.

The exposure of encrypted passwords is bad news because it's now easy to create convincing phishing emails urging people to change their eBay passwords – although said scam emails will instead take victims to a site masquerading as eBay.com to swipe their details.

Weak passwords could also be easily cracked if the website's hashing algorithm isn't up to scratch, and woe betide anyone using the same crap password across multiple sites with the same email address. The habit of many users of using the same password on multiple sites makes this type of attack all too possible.

And the leaking of phone numbers, dates of birth, names and addresses puts many at risk of identity theft by fraudsters. The personal information could also be used to make phishing emails appear more convincing.

"Clearly eBay is concerned that the passwords in the compromised database – albeit encrypted – could easily be decrypted and fall into the hands of malicious attackers," said infosec industry veteran Graham Cluely in a blog post.

"Of course, if you are changing your eBay password ensure that you choose a strong, hard-to-crack password, and not the same password as one you are using anywhere else on the internet," he added. ®

Remote control for virtualized desktops

More from The Register

next story
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Mozilla, EFF, Cisco back free-as-in-FREE-BEER SSL cert authority
Let’s Encrypt to give HTTPS-everywhere a boost in 2015
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
Got an iPhone or iPad? LOOK OUT for MASQUE-D INTRUDERS
UNjailbroken iOS 7, 8 open to evil, says secbiz FireEye
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.