Samantha Murphy at Mashable.
eBay is the latest victim of a cyberattack, and if you are one of the 145 million users with an account, you’re likely affected.
While eBay is urging users to update their passwords immediately (here’s how to do that), many are left wondering what this means for their data and what they can do to keep it safe.
The breach, which was confirmed by investigators this week, happened in early May (not late February and early March, as eBay first said) when hackers snatched up information such as usernames, email addresses, physical addresses, phone numbers and dates of birth. The hackers were even able to access passwords, but they were in encrypted form, so it’s unlikely they were compromised.
eBay said no financial information was taken and that the cyberattackers found their way in through employee login information.
While your credit card information may be safe, experts believe the ramifications of the security breach could be vast.
“The impact of the eBay compromise will likely spread beyond just eBay because people often reuse passwords across multiple sites,” Trey Ford, global security strategist at Rapid7, told Mashable. “It’s hard to predict just how serious that might be, and there may be other compromises that happen as a result that are never directly tied back to this breach. Users really need to change their passwords as soon as possible, and avoid reusing passwords across sites.”
The news comes just a few weeks after an encryption flaw called the Heartbleed bug affected many popular websites and services such as Gmail and Facebook. The bug quietly exposed sensitive account information, such as passwords and credit card numbers, over the past two years and went widely undetected until recently.
Following the Heartbleed bug news, a survey conducted by Software Advice revealed 67% of web users didn’t update their passwords.
With enough time and resources, Ford says, a hacker can fly under the radar for a while; until he is able to steal information, it’s challenging for an organization to defend against or detect it.
“Big companies have incredibly complex environments, with hundreds of thousands of users and systems they need to monitor, which means there are a lot of potential entry points for attackers to target,” Ford said. “And in the case of big companies, they often are targets for attackers because they have a lot of customers and a lot of valuable data. So attackers that are well-resourced will invest real time in casing a large company to find a way in, which frequently involves manipulating the company’s employees or trusted network in some way.”
Similar to other high-profile breaches, hackers move slowly in order to remain stealthy.
“We’re seeing this increasingly being the case in high profile breaches, like with Target — attackers take their time, do some reconnaissance and figure out an entry point that often leverages credentials stolen from a user related to the organization,” Ford said. “This kind of infiltration is really hard to spot, and it looks like a normal user accessing the system.”
While eBay’s breach might even be larger than Target’s large-scale attack, which affected its 40 million card devices at checkout stations across stores nationwide and about 110 million shoppers earlier this year, it depends on how you look at the two cases.
“Payment details were not taken at eBay so the question comes down to the value of the data,” said Raj Samani, VP at McAfee.
While security breaches are becoming increasingly common, it’s a reminder to always keep on top of password management, too. Passwords should also be updated because eBay stores private customer information that can be used against the user in subsequent phishing scams, said Darren Guccione, CEO of password management firm Keeper Security.
“There is always risk of future loss so the key is to practice good password management,” Guccione added. “We encourage consumers to change passwords on their most important and frequently used sites every six months. When creating a password, it’s important to use letters, numbers and symbols which can be accomplished with a password manager.”