Image may be NSFW.
Clik here to view.
eBay’s 145 million users have been asked to change their passwords, following yet another large-scale security breach in the US. Hackers got hold of an undisclosed number of customer names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth.
However, eBay reassured its customers in a blog post, there was “no evidence” of any unauthorised access to financial or credit card information, and “no evidence” of unauthorised activity in customers’ accounts.
Phew, that’s a relief.
Despite the company’s reassurances, eBay is still urging all of its users to change their passwords. This comes just one month after Heartbleed forced user password changes across a vast number of sites, including Dropbox, Instagram, Facebook, Netflix, Flickr, Tumblr and Pinterest.
video: http://www.cnet.com/videos/link/n_TAh0MZoVBkv2_0QpnRCzN2wWDXC6x0/
While the eBay breach is perhaps not as bad as last year’s Target breach, where credit and debit card information of more than 40 million customers was stolen, it’s not without its risks.
In the eBay breach, hackers got away with all the essential personal information that makes identity theft and phishing all too easy.
“Folks have got to be on the lookout for phishing scams and other attacks which might exploit the breached data,” British security blogger Graham Cluley said.
And what about PayPal?
eBay said it also had “no evidence” of unauthorised access or compromises to personal or financial information for PayPal users. It explained, “PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.”
So, how did the hackers do it? According to eBay, they came in through the employee entrance.
“Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorised access to eBay’s corporate network,” eBay said.
eBay also emphasised how hard it was working to get to the root of the problem. “Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.”
Moving fast enough?
Despite this “aggressive” investigation, some wonder why it took eBay so long to not only discover the breach, but to notify its users.
According eBay, their database was compromised between late February and early March. However, the compromised employee log-in credentials were only detected at the beginning of May. It then took eBay two weeks to inform its users of the problem.
“We worked aggressively and as quickly as possible to insure accurate and thorough disclosure of the nature and extent of the compromise,” eBay spokeswoman Amanda Miller said when asked why the company had not immediately notified users.
On May 21, eBay said, “Beginning later today, eBay users will be notified via email, site communications and other marketing channels to change their password.”
Many eBay users complained they have yet to receive any such notification.
eBay responded to these concerns in a Tweet on Thursday afternoon (US time), “Just to let everyone know, it will take some time for every eBay user to get our reset email. You can still go to eBay to change password.”
Nevertheless, while eBay “investigates” and users go through the rigmarole of changing their passwords yet again, one has to wonder why all of eBay’s personal user information was not encrypted, as pointed out by Rik Ferguson, Director of Security Research & Communications, EMEA of Trend Micro.
The post eBay Breached: Time to change your password appeared first on Quid.