With Target’s security breach and the Heartbleed bug still fresh in many consumers’ minds, eBay, the online marketplace giant, revealed recently that its entire user database was compromised in a hacking attack. While some eBay users have received emails urging them to change their passwords, others only heard of the database breach from third party sources and not officially from eBay itself.
In comparison to Target’s breach, which involved up to 110 million customers’ personal details and 40 million credit card records, this attack on eBay is much larger. It is estimated that 233 million people’s personal data was stolen. Furthermore, it is clear that the cybercriminals intend to profit from the info they stole. On Sunday, May 23, the personal information of 715 individuals was advertised online for sale, all apparently from the eBay breach.
With this perspective, many are upset by eBay’s overall slow response, and with good reason. According to the official statement on eBay’s website, the database was hacked in late February and early March, nearly three months ago. This is made even more concerning by the fact that eBay only detected this security breach around the week of May 4th, and finally broke the news to the public on May 21st.
As explained by eBay’s statement, this security and data breach was the result of cyberhackers gaining unauthorized access to eBay’s network by figuring out employee log-in credentials. The data that was compromised includes: eBay customers’ names, email addresses, physical addresses, phone numbers and birthdates. Hackers were also able to steal away encrypted passwords.
These passwords were only encrypted however, and not hashed and salted, which would have been more secure. While encryption might slow the hackers down, eBay’s lack of using a more protected format for storing passwords offers little comfort. After all, as the 2012 LinkedIn data breach already illustrated, 60% of stolen LinkedIn passwords (which were hashed) were cracked within 2 days of the theft. Thankfully, while eBay also owns PayPal, the online giant reported that the personal and financial information of PayPal users was not compromised in the attack, as that data is apparently stored on a separate secure network.
All eBay customers are encouraged to change their password immediately if they have not already. Any sites that share the same password, especially if they are sensitive like your online banking account, should also be updated. This is important as cybercriminals often attempt to break into other sites using your stolen info, such as email and eBay password. When updating your information, also be wary of phishing emails that attempt to look legitimate in order to steal more data. If you are unsure, go to the website directly to make changes.
For internet security in general, try to use unique passwords for each site. Avoid commonly guessed passwords that involve your name or birthdate, as those personal details are easily discovered (or in eBay’s case, have already been stolen). If you struggle remembering more than a few passwords, this may be a good time to begin using a password manager.