Feeds

EBay, you keep using the word 'SECURITY'. I do not think it means what you think it means

Change your passwords – tat bazaar ransacked by hackers

Protecting users from Firesheep and other Sidejacking attacks with SSL

eBay‬ has told people to change their passwords for the online tat bazaar after its customer database was compromised.

Names, dates of birth, phone numbers, physical addresses, email addresses, and "encrypted" passwords, were copied from servers by attackers, we're told. Credit card numbers and other financial records were not touched, and are stored separately, eBay claims. The website has hundreds of millions of user accounts.

Hackers accessed the database between late February and early March after obtaining a few employees' login credentials, and then infiltrated the corporate network.

The digital break-in of staff accounts was detected about two weeks ago, and sparked a computer-forensics probe that is still ongoing. The website's investigators today revealed a database containing customer information was accessed by the hackers.

eBay reckons everyone should change their passwords as a precaution – but it hasn't uncovered any evidence of fraud linked to the breach, it claims. One assumes eBay's techies have closed the hole the attackers exploited to infiltrate its systems, and has cleared its systems of the miscreants.

In a statement, the company added:

After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.

eBay's handling of the breach notification has already created a fair bit of confusion: eBay-owned PayPal published then deleted an alert instructing users to change up their passwords this morning.

The brief item on PayPal's site, which included the line "place holder text", was pulled before the security breach was confirmed soon after in a press release. The warning was eventually restored, although PayPal is not affected by the eBay hack.

Exactly how the tat bazaar's passwords were “encrypted", and how the company was infiltrated, remain unexplained. Rik Ferguson, veep of security research at Trend Micro, poses these and other questions in a blog post here.

The exposure of encrypted passwords is bad news because it's now easy to create convincing phishing emails urging people to change their eBay passwords – although said scam emails will instead take victims to a site masquerading as eBay.com to swipe their details.

Weak passwords could also be easily cracked if the website's hashing algorithm isn't up to scratch, and woe betide anyone using the same crap password across multiple sites with the same email address. The habit of many users of using the same password on multiple sites makes this type of attack all too possible.

And the leaking of phone numbers, dates of birth, names and addresses puts many at risk of identity theft by fraudsters. The personal information could also be used to make phishing emails appear more convincing.

"Clearly eBay is concerned that the passwords in the compromised database – albeit encrypted – could easily be decrypted and fall into the hands of malicious attackers," said infosec industry veteran Graham Cluely in a blog post.

"Of course, if you are changing your eBay password ensure that you choose a strong, hard-to-crack password, and not the same password as one you are using anywhere else on the internet," he added. ®

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.