The eBay Breach – Was The Response Good Enough?

When it comes to data breaches the comment I hear more often than any other is the fact that its when, not if, it will happen to you. As a result, security experts aplenty recommend developing a breach response well ahead of time.

Given that customers are the lifeblood of every business, it seems sensible that any action taken after a breach has been discovered should be centred on them, the people who ultimately pay the wages of everyone employed by the company.

Thats why it is so important, after a breach, to get those communication lines opened up and passing on details and advice – us consumers like to know what happened, what is happening now, how it may affect us, what we need to do on our end and, most importantly, we want to know that you are sorry for letting an unauthorised person or group get hold of our personal information.

eBay breach

So, given the news yesterday that eBay had experienced a data breach (the company found out a couple of weeks ago but it looks like the incident actually occurred in February or March), how did the company fare in the incident response stakes?

In my opinion, the answer is not very well.

Whilst the online auction giant has certainly pushed some information into the public domain, it hasn’t been as easy to find as perhaps it should have been, and other media outlets have proven to be much better sources, at least in my own experience.

So what actually happened at eBay?

The company yesterday disclosed that a small number of employee log in credentials were compromised after attackers gained access to the company’s corporate network.

The attacker (or attackers) then jumped onto their cyber horses and rode off into the virtual sunset, along with a database containing encrypted passwords and other non-financial data.

How did it happen?

For now at least, that is the million dollar question, and one which security pros and eBay customers alike are waiting to have answered.

The early hypotheses appear to float towards the idea that a spear phishing attack may be key.

Brian Honan, CEO of BH Consulting and Special Advisor to Europol Cybercrime Centre, talking to Help Net Security, said:

“Based on the sparse information available this attack has all the hallmarks of a spear phishing attack resulting in the log-in credentials of eBay staff being stolen.”

And, like Brian, I am hopeful that eBay will provide more information in time as such data could be beneficial in helping other organisations better protect their own systems.

What data has been accessed?

According to eBay, the database thief swiped encrypted passwords and other non-financial data so customers have nothing to worry about, right?

Well, that may be true from eBay’s point of view but, alas, a third party may have other ideas.

The company confirmed that the following were taken:

  • Customer name
  • Encrypted password
  • Email address
  • Physical address
  • Phone number
  • Date of birth

Now I don’t know about you but I already have some concerns about what a malicious third party (say, an eBay database thief, for example) may choose to do with that information, be it identity theft or a convincing phishing campaign.

Mark James, technical team leader at ESET said:

“The obvious concern here is knowing exactly what was and was not compromised. They state that eBay customers’ names, encrypted passwords, email addresses, physical addresses, phone numbers and date of births were compromised, and all of this information can be used to steal user identities. This is a major concern when this type of attack happens and to hear it happen to such a large corporate organisation is very worrying.”

And Dwayne Melancon, CTO of Tripwire, said:

“eBay users have long been a popular target for phishing emails, and users must be especially wary during incidents like this.  To be safe, users should not click on links in emails about eBay security or password changes; instead, they should type the eBay URL directly into their browsers and log into the site that way to prevent disclosing their credentials to spoofed, malicious copies of the eBay site.”

Who dunnit?

No-one knows at this time and that is perhaps a little surprising actually.

Attackers can have a variety of motives for going after such information but it is reasonable to assume that a breach of this magnitude must surely have an end game.

If eBay was attacked for financial reasons I would have expected to hear about wide scale account breaches by now (though we don’t know a huge amount about how the passwords were encrypted, see below), an uptick in identity theft, or a mass of phishing emails being pumped out, complete with personalisation based upon the compromised user data mentioned earlier.

If the breach was initiated by hacktivists then I would guess that they would have some sort of point to make, or would simply post the data on PasteBin or similar in order to gain some plaudits for their work.

Of course there is one other possibility – it could have been the NSA, GCHQ, naughty Chinese military types, or whoever the bad guy is this week. I could see how such a large pot of data about millions of users could be of interest to them but then they already know what we buy years before we sell it again on eBay anyway don’t they?

Whats the story with passwords?

As mentioned earlier, eBay has clearly said that encrypted passwords have been swiped. But what we don’t know is how those passwords were encrypted in the first place.

As it is unclear whether or not the passwords were salted and hashed, it is unclear just how safe they are.

Therefore the best, and only, advice is change your eBay password immediately.

Hopefully eBay users all around the world will be prompted to change their passwords next time they try and login to the site, though F-Secure’s Rik Ferguson (sorry Graham, couldn’t resist) noted that US, Australian and app users may not:

If you haven’t changed your password yet please do so now. If you aren’t prompted via eBay’s homepage then http://www.ebay.com/reset is the URL you need.

How do I choose a new password?

Luckily I can save my typing fingers here by adding a screenshot of my list of password tips that recently appeared on the BH Consulting blog:

password tips

Is PayPal affected?

According to eBay, the breach should not have any consequences for its PayPal customers:

“If you are a PayPal user, we have no evidence that this compromise affected your PayPal account or any PayPal financial information, which is encrypted and stored on a separate secure network.”

That said, I am sure we are all aware that some people do have a tendency to use the same password, often in conjunction with the same email address, across multiple sites. As both of those credentials are at risk, it would be prudent to change your Paypal password if you have been foolish enough to re-use login data.

Dwayne Melancon also suggests taking advantage of the optional 2FA available with PayPal:

“Many eBay users also have their accounts connected to PayPal (which is owned by eBay) for payments.  For further security, I recommend customers make use of PayPal’s optional feature which uses 2-factor authentication to verify the users’ identity prior to making a payment.  Given that PayPal is linked directly to users’ bank accounts, this is a best practice even if there had not been a data breach at eBay.”

So, was eBay’s response good enough?

I’ve already alluded to the fact that I don’t think it was.

It is often said that communication is the key to a good relationship and I think that applies to the business world just as much as it does to inter-personal interactions.

eBay, in my opinion, has failed in this respect for a number of reasons.

Firstly, the company knew of the breach for two weeks before going public. Whilst it is understandable that it would want to analyse the attack, timing is critical. Given the risk to customers, based upon the type of personal information that has been acquired by whomever attacked the company, there is a very real risk that the perception of the company may have taken a big hit.

And for a business, the level of trust in its relationship with its customers is vitally important to its long-term success.

Worse, perhaps, is the fact that it took eBay 2-3 months to even become aware of the breach in the first place. Given all the hurrah surrounding Target and the fact that it missed signs of its breach and failed to heed warnings, it is almost unforgivable (from a customer point of view at least) that a situation that looks very similar from the outside looking in could happen again.

Another failure in this case, as far as I am concerned, surrounds the changing of passwords.

I don’t agree with some experts who say that eBay should enforce a password reset for all of its customers – the site is already reportedly at a crawl at times due to the number of people (hopefully) in the process of doing just that of their own accord. If a reset was enforced and publicised via a mass email blast then I could imagine that eBay’s various regional sites would quickly experience something akin to a DDoS attack – which could quite quickly add to the confusion, or simply lead to the average customer putting off the change of credentials until a much later date.

What does seem wrong though is the fact that some users are still not seeing any messages from eBay when they attempt to log into the site. However embarrassing eBay may feel the situation is, I think they should make a big deal of it with a clear message displayed prominently on the site. Their customers will appreciate that far more than learning the news from other third party sites.

The way forward

Data breaches are on the rise, there is no getting away from that. Don’t think “if”, think “when.”

Of course there is plenty that companies can do to manage and lessen the risk but some consideration should also be given to what the response will be when things go wrong.

Whatever people may think of eBay and its reaction thus far, the company still has an opportunity to influence perception and bolster trust post-breach.

Without inside privilege it is impossible to know much about the company’s security strategy but there will no doubt be an in-depth investigation, lots of questions asked, and action taken.

One obvious customer-facing change that could be implemented though is two factor authentication which would add an additional layer of security to the basic password system currently in use (which allows very useless passwords to be employed). I think this would be especially useful on such a site, considering the amount of alleged buyer fraud I have heard about.

The company also still has the opportunity to improve its response by providing more information to its customers via email or by more prominent use of its homepage.

Over to you eBay….

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Trackbacks

  1. […] intellectual property has a value to competitors, and customer data has to be protected because the bad publicity and possible regulatory costs associated with a breach can be […]

  2. […] that the breach could cause a large amount of embarrassment to the company, especially in terms of how well it responded to the […]

  3. […] –          Security FAQs (ESET) […]

  4. […] Not good enough in my opinion, and still not a comprehensive enough response as I personally know many people who still haven’t changed their passwords, despite advice, because they are waiting for official word from eBay. […]

Speak Your Mind

*