Font Size: A A A

Home > News > Case Studies > eBay attacked

Case Studies

eBay attacked

The online retailer eBay is to ask customers to change passwords due to a cyber attack. The e-tailer said that a cyberattack compromised a database containing encrypted passwords and other non-financial data. After tests on its networks, the company said it has no evidence of the compromise resulting in unauthorised activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats.

According to the firm, cyber-attackers compromised a small number of employee log-in credentials, allowing unauthorised access to eBay’s corporate network. The firm said that it is ‘aggressively investigating’ the compromise, which dates from between late February and early March. Also it’s encouraging any eBay user who used the same password on other sites to change those passwords, too. The same password should never be used across multiple sites or accounts, IT security figures advise.

Comments

Brendan Rizzo, technical director EMEA at encryption product firm Voltage Security, said: “It is unlikely the attackers would be able to use the stolen passwords, since eBay, abiding by good security practices, should have ‘hashed’ and ‘salted’ its passwords. If this was performed correctly, then users should not be concerned about their passwords being compromised. The more worrying aspect of this disclosure is that it appears that the other personally identifiable information was left completely unprotected. This information would give the attackers almost all of the information they need to undertake fraudulent activity on the a compromised user’s behalf.

“This breach highlights a need for companies to place tighter controls on how user credentials are stored and protected. If data is left unprotected, it’s not a matter of “if” it will be compromised – it’s a matter of “when”. While there is no doubt that eBay has top of the line security in place to guard against attacks, even the best security systems in the world cannot keep attackers away from sensitive data in all circumstances. The length of time it took eBay to discover this attack is evidence that attackers can still find a way to slip through a company’s defenses undetected. When a company is storing sensitive information about their customers, the risk is to the data itself. Therefore, a company needs to assume that all other security measures may fail, and the data itself must be a primary focus for protection – usually via encryption. It is critical to note that this protection needs to include all potentially sensitive information and not just financial related data.

If eBay had employed format-preserving encryption to protect the data itself, the attackers would have ended up with unusable encrypted data instead of the current outcome where users’ personal information has now been exposed to an untold number cyber criminals.”

And Toyin Adelakun, VP of Products for Sestus said: “This appears to be more serious than a ”mere” password smash-and-grab. Rather, it seems eBay customers’ names, encrypted passwords, email addresses, physical addresses, ‘phone numbers and dates of birth were stolen. Passwords can and must be reset—especially if they’re reused elsewhere—but the other personal data cannot easily be reset.

“If eBay confirms that wider personal data has been stolen, users must maintain extreme vigilance of all financial statements and of their credit reference files. Users with reason to suspect their identities have been stolen can contact the fraud prevention service CIFAS (in the UK – equivalents elsewhere), and consider asking it to put a ‘protective registration’ on credit reference file. This service costs about £20 (about US$30) and alerts lenders to conduct further checks before approving credit applications. The erstwhile silver bullet of “identity theft insurance” has become somewhat deprecated over the last few years, but users considering such protection should satisfy themselves that such policies definitely offer adequate protection against actual losses. Generally, institutional, regulatory and legal responses to identity theft are immature and still under development, so personal responsibility needs to be the fore, for now.”

Matt Middleton-Leal, regional director, UK and Ireland at CyberArk
said: “The very fact that just a ‘small number’ of compromised accounts has resulted in such significant access to eBay’s corporate network is extremely concerning. Clearly, there has not been enough attention paid to protecting privileged access accounts, where one small human error or mistake can cause an enterprise-wide security breach.

“These powerful accounts hold the proverbial ‘keys to the kingdom’. As evident here, they have access to vast stores of information, data and control within the organisations’ digital depositories and, as a result, are the primary target for any hacker who is on the ball. Worryingly, once access has been secured, the extent of access means that maximum havoc can be wreaked.

“Protecting privileged accounts should be top priority for any business, not least because perimeter security is clearly failing. The way in for these malicious attacks is through the inside and, as such, protection needs to start here – at the heart of the organisation. Monitoring and controlling these powerful accounts every time they’re used is paramount to mitigating the impact of an inside breach. Businesses must start better protecting their assets and critical to this is securing the privileged accounts which form the primary vehicle for so many successful attacks.”

Wieland Alge, the VP and General Manager EMEA, Barracuda Networks said: “There’s no point in overinvesting in state-of-the-art perimeter defences if a company can’tmitigate the risk that is left by own employees not to be fooled into leaving the door wide open for cyber criminals. Today, more than ever before, we have to operate in a Zero Trust Environment.

“Those responsible for IT security must trust no-one and nothing. Not even the fridge. Collective mistrust is no longer a sign of paranoia but has become a guiding principle of IT. Every application and every piece of hardware can now be hacked so IT security has to mistrust everything and everyone. Not customers, not governments and especially not employees. They hold the key to so much and the stakes are so high.

As such, the basic framework of the Zero Trust Environment is clear: Critical infrastructures must be protected against other IT components and users by additional, intelligent security gates. Each query must be checked, each suspicious act prevented and investigated immediately. There’s no excuse for complacency or delay.”

Ben Densham, CTO of the cyber security consultancy, Nettitude, said: “As the latest high-profile organisation to fall victim to a data breach incident, eBay provides another warning to all organisations that the threat to businesses is continuing to grow. The fact that employee accounts were compromised in this case is concerning, as robust controls should be in place around these credentials, including behavioural monitoring systems which flag any suspicious behaviour in real-time. While it remains to be seen how these credentials were compromised – whether via a successful phishing email or the involvement of a third party – it is unfortunately unsurprising that these incidents continue to occur.

“Data breaches involving customer information can be extremely damaging for any business, as lost customer confidence can be hard to regain. All companies that store client data must ensure they have a rigorous cyber security plan in place, that they identify and manage any areas of high risk and that they are fully prepared with an incident detection and response strategy should the worst happen.

“Put simply, organisations must accept that attackers can and will look to exploit any weakness that exist in their security defences. With this in mind, the focus must be on ensuring full network visibility and being able to detect, contain and remediate an attack when – rather than if – the situation arises.”

And Paul Ayers, VP EMEA at data security product firm Vormetric said: “It’s less than half way through 2014 and we’re already beginning to lose count of the number of big name companies that have fallen foul of hack attacks like this. A common theme of many of these breaches is that they involve cybercriminals actively seeking to compromise insider accounts (focusing most heavily on privileged users like IT administrators) in order to infiltrate systems and steal data using their credentials. Because they are exploiting legitimate access, these attacks can be very difficult to spot– indeed the eBay breach occurred as long ago as between late February and early March. It’s a bit like trying to find a needle in a haystack, except the needle is disguised as a piece of straw.

“In the case of the breach at eBay, the cybercriminals have targeted a database containing eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. Enterprise databases are a rich seam of valuable data for hackers and the route to this data is often via users that have the appropriate access rights and network privileges. Even though a portion of it was encrypted, it appears a good deal was not and it is this kind of personal information which is often used by criminals to launch further attacks. That the passwords were encrypted will come as little comfort to the millions of eBay users whose other data may have been accessed.

“The most effective way to practically defend systems against this kind of threat is to protect data at its source and provide access on a true need to know basis, which can be achieved by implementing encryption combined with tight access controls as a method of carefully separating users’ network access from their ability to actually read, access and copy data. That way, if user accounts are compromised – as seems to be happening on almost a daily basis – there are more effective controls in place to help mitigate the damage that can be done.”

David Emm, senior security researcher at Kaspersky Lab, says: “It’s difficult to quantify the danger customers may be in following the eBay cyber-attack, but of course any personal data in the wrong hands is bad news and it appears that the attackers have gained access to customers’ names, email addresses, physical addresses, phone numbers and dates of birth, as well as encrypted passwords. The fact that this attack took place two to three months ago means the attackers have had additional time with which to attempt to decrypt the stolen passwords as well as make use of the other personal data. While it might seem as though eBay has been slow to respond but if the company has only just discovered the full extent of the attack it is now doing the right thing by notifying customers in a timely manner. The worrying thing is that many people use a single password for more than one internet site and so if the passwords are compromised, they could be at further risk from cyber-criminal activity. The time lapse here highlights the urgency for customers to change not only their eBay and PayPal passwords but also on any other site that they use the same log-in details for.

“Many people will also be asking whether this is related to Heartbleed. I suspect that the two are not linked, although of course we can’t rule it out. The Heartbleed bug has been around for two years and was discovered after this attack took place. However, eBay states that the leaked information was a result of a compromised database, whereas Heartbleed is a vulnerability that lies in the mechanism used to encrypt data.”


Tags

Related News