Wednesday 21 May 2014

eBay compromised...

Today, eBay made the news as it was announced that their database had been compromised.  Personal information had been stolen, including names, addresses, email address, phone numbers, date of birth and an encrypted copy of the users password.  The breach was believed to have occurred between late February to early March.

If you have an eBay account, the first thing to is change your password.  

Depending on the level of encryption, all that is needed to crack the password is time and processing power.  Although the PayPal database is separate and has not been compromised, I would highly recommend changing that password, if it matches your eBay account.

Although my PayPal account rarely has much money left in it, it was only protected with a password.  After today, this was changed to send me a code via SMS when I log in, so I require my password and my mobile phone to gain access to the account now.  You can activate that on your account here,

How was eBay compromised?  Some of the eBay user credentials were obtained and used to carry out the compromise.

We've yet to find out how, but I suspect that it was either someone aware of the eBay way of working, or it obtained via a spear-phishing attack.  Spear-phishing is where specific people are targeted, where the people are either known, or information has been gathered from public sources, such as social media.  Once aware of information relating to the user, they can be targeted by many means, including email.  Typically when the user falls for the trap, software will be deployed onto their computer and the target monitored.  Credentials can be gathered and then used against the organisation the hacker is targeting.

Lockheed Martin pioneered the Cyber Kill Chain where there are seven steps to the potential compromise, and the aim is to break the chain at any one of the seven points.  The sooner, the better.

Another concern is that most organisations would require users to have privileged (such as system administrator) access to be able to access such information.  There are solutions out that that can could have prevented this by managing the password on behalf of the user. 

I'm sure more information regarding the compromise will come to light over next few weeks.  It's surprising that more protection and prevention hasn't been deployed, but being a large organisation like eBay they will always be targeted.


No comments:

Post a Comment