eBay customers have learned that their personally identifiable information (PII) has been compromised as the online auction giant today announced that a database including encrypted passwords and non-financial customer data was breached. The company says the breach occurred in late February and early March but asserts that there is no evidence, so far, that financial data, which is held in a separate database, was compromised. Users are being asked to change their eBay passwords at this time.
Update:
Posted data dump not valid, password reset issues >>
This incident could have been worse had the financial data been kept together with the passwords and personal customer info. But as it stands, eBay says has seen no evidence of fraudulent activity on the eBay user accounts. However, it is unclear what type of encryption was used on the passwords, so it is possible that some or all passwords could be cracked, which means it really is a good idea for all eBay customers to change their password, both for ebay.com, as well as on any other accounts where they may have used the same password.
Because the database also included eBay users' name, email address, physical address, phone number and date of birth, this breach does open up the possibility for other types of scams such as phishing attempts. As such, eBay users should be advised to be on the lookout for suspicious messages, and avoid clicking on links in email (whenever in doubt, go directly to the site by typing its URL into the browser rather than by following links in email).
This incident also brings up the question of 2-Factor Authentication (2FA), both for eBay's own employees and for eBay customers users going forward. eBay says the hack was due to the compromise of a small number of employee log-in credentials, and this could imply that eBay is not requiring its own employees to use multiple factors of authentication in order to access sensitive customer data. This is both worrying and unfortunately not an uncommon scenario for many organizations.
Many websites and online services that have exposed personally identifiable information (PII) in the past few years have begun to offer their users two factor authentication to bolster the security of their account (Twitter and Google are examples that come to mind). It will be interesting to see whether eBay follows this trend as well. If eBay does offer 2FA to users, this could greatly bolster the security of their accounts going forward.
We will keep you updated when new details of the breach are available, but clearly two areas of interest to those investigating the case will be network segmentation and encryption. For example, why wasn't all the data encrypted?
As for network segmentation, it is a common strategy to limit damage when a criminal is able to gain access to a system, or an insider's credentials are abused. Companies should be setting permissions within the organization to only those things a user must access in order to do his or her job. For example, the HVAC vendor in the huge Target retail store breach should not have had access that enabled criminals to get to the Point of Sale terminals (this was clearly not necessary to perform their role as a supplier).
Finally, if you are an eBay user, this would be a good time to make sure your new password is a very strong one, and unique from your other online accounts. And if you have not yet started using a password manager, this could be a good time, as they can be very helpful in creating and maintaining strong passwords for each online account you use.