eBay customers had their personally identifiable information compromised as the online auction giant announced that a database including encrypted passwords and non-financial customer data was breached in late February and early March. Users are being asked to change their eBay passwords.
This incident could have been worse had the financial data been kept together with the passwords and personal customer info. But eBay says has seen no evidence of fraudulent activity on the eBay user accounts. However, it is unclear what type of encryption was used on the passwords, so it is possible that some or all passwords could be cracked, which means eBay customers would want to change their passwords, both for ebay.com, as well as on any other accounts where they may have used the same password.
Because the database also included eBay users’ name, email address, physical address, phone number and date of birth, this breach does open up the possibility for other types of scams such as phishing attempts. Receiving a fake email, supposedly from eBay, addressing the account holder with their actual name would certainly make a lot of people trust it and follow its instructions. As such, ESET Ireland advises eBay users to be on the lookout for suspicious messages, and avoid clicking on links in email (whenever in doubt, go directly to the site by typing its URL into the browser rather than by following links in email).
eBay says the hack was due to the compromise of a small number of employee log-in credentials, and this could imply that eBay is not requiring its own employees to use multiple factors of authentication in order to access sensitive customer data. This is both worrying and unfortunately not an uncommon scenario for many organizations. Many websites and online services that have exposed personally identifiable information in the past few years have begun to offer their users two factor authentication to bolster the security of their account (Twitter and Google for instance). It will be interesting to see whether eBay follows this trend as well and offer 2FA to users, as this could greatly bolster the security of their accounts going forward. And we also wonder, why wasn’t all the data encrypted?
More info on latest threats: blog.eset.ie