Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7 Facts: eBay Fumbles Password Reset Warning

Online auction site criticized for notification misfire, failing to make password resets mandatory.

Security alert to all eBay users: Change your passwords now.

That warning was issued Wednesday by eBay, which announced that hackers stole legitimate employee login credentials and used them to access eBay's network and steal a database containing information on 145 million users. The stolen database included personal information on users stored in plaintext format, as well as hashed and salted copies of their eBay passwords.

Here's what's known so far about the breach, how eBay has responded, as well as what users should do and expect in the wake of the breach.

1. Breach undetected for two months
While the breach appears to have occurred in late February or early March -- after attackers stole several employees' login credentials -- the theft and unauthorized use of those credentials wasn't detected until "about two weeks ago," thus triggering an investigation, eBay said in a blog post Wednesday. "Extensive forensics subsequently identified the compromised eBay database."

Having a breach last for at least two months before it's detected isn't unusual. According to a study of 2013 breaches released Wednesday by Trustwave, when a business self-detects a breach, that detection takes place -- on average -- 32 days after the breach occurred. Meanwhile, when an organization learns about the breach from a third party, an average of 108 days, or more than three months, will have elapsed from breach to notification.

2. Unclear: Password encryption strength
One worry, however, is that after having stolen eBay passwords available offline, attackers may have had time to recover them, using next-generation password-cracking systems.

An eBay spokesman didn't immediately respond to an emailed request for more information about exactly how the passwords had been encrypted. That information could help information security experts estimate if -- or for how long -- the stolen passwords might be safe.

To be clear, eBay said there's no indication that the stolen, encrypted password data has been cracked and used by attackers. Likewise, the company said that all financial information, including that pertaining to subsidiary PayPal, was stored separately. "PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted."

3. Public notification: eBay stumbled
eBay arguably fumbled its public breach notification after Engadget reported seeing a half-finished PayPal blog post Wednesday warning people to change their eBay passwords. But after that news broke, and eBay posted an official statement on its website, it still took the online auction business more than 24 hours to send an email alert to all of its users.

In the meantime, the password-reset advisory remained noticeably absent from the online auction site's homepage or login screen for some hours, leading security expert Graham Cluley to ask why eBay seemed to be "burying news of its security breach from its millions of Web visitors."

When the company eventually did put a warning on its homepage, it linked to a static warning message, leaving users to navigate multiple drop-down menus, and execute at least a half-dozen clicks, to try and locate the password reset page.

What would have been simpler is if eBay's website notice included a link to its password-reset page.

4. Beware phishing attacks
Going forward, expect online attackers to begin quickly capitalizing on the eBay password reset warning. "When major news like this breaks, it opens the door for eBay or PayPal phishing campaigns to be more effective, since the general public is familiar with the situation and may not realize they're being duped," said Troy Gill, senior security analyst at AppRiver, in an emailed statement.

Longstanding advice about never clicking on links in emails -- lest they're a phishing attack in disguise -- applies here. "To be safe, users should not click on links in emails about eBay security or password changes; instead, they should type the eBay URL directly into their browsers and log into the site that way to prevent disclosing their credentials to spoofed, malicious copies of the eBay site," said Dwayne Melancon, CTO of Tripwire, in an email.

Also beware eBay's actual attackers taking stolen plaintext data -- which included eBay users' names, email addresses, and birth dates -- to fashion more realistic-looking fake messages.

5. eBay fails to practice tough love
In the wake of the breach, one security step that eBay didn't take, but should have -- in the eyes of many security experts -- was to forcibly

Next Page

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
5/30/2014 | 12:32:00 AM
Notification
I find the notification issues raised here troubling. The safest thing to do would be to do a forced reset, and to make the process for changing user passwords as simple as possible.

BP
dan.euritt
50%
50%
dan.euritt,
User Rank: Apprentice
5/25/2014 | 12:51:13 AM
Re: Ebay password change
I changed my Ebay password, but I'm still getting the reminder to change it. I guess that leaving the notice up is the easiest way to reach everyone.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
5/22/2014 | 1:19:58 PM
Time for Nok Nok Labs?
Not to be flippant, but with Samsung and PayPal turning to Nok Nok Labs, perhaps eBay could follow their lead. Dark Readings has covered Nok Nok Labs many times and I thought this was a nice nutshell: http://www.darkreading.com/risk/nok-nok-labs-delivers-on-vision-for-modern-authentication/d/d-id/1141317?

Their S3 Suite consists of:

-- The NNL(TM) Multifactor Authentication Server (MFAS), which provides a unified, flexible authentication infrastructure that enables user-friendly strong authentication for any device, any authenticator and any application.

-- The NNL(TM) Multifactor Authentication Client (MFAC) Mobile Edition with support for Android and iOS devices, which enables users to authenticate to any application using the existing security capabilities of their mobile devices. Also includes the Mobile App SDK and Authenticator Specific Module (ASM) SDK.

-- The NNL(TM) Multifactor Authentication Client (MFAC) Desktop Edition, with support for Windows 7 and Windows 8, provides user-friendly strong authentication to any application by unleashing the existing security capabilities of billions of desktops and mobile devices.

Call me crazy, but any site dealing with my money had better be securing their infrastructure at a minimum of this level of authentication.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
5/22/2014 | 1:19:40 PM
Re: PayPal
Right there with you, Lorna! That was my first question too -- and despite eBay's protestations to the contrary, I'd recommend changing that PayPal password.
Lorna Garey
100%
0%
Lorna Garey,
User Rank: Ninja
5/22/2014 | 11:28:02 AM
PayPal
My immediate thought was, is PayPal affected? I mean, so maybe someone logs in as me and bids on and wins something on eBay. That's bad. Using my PayPal to pay for it?Much, much worse. Nice to hear that "PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted." Would be nicer if that were independently confirmed.
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...
CVE-2021-3197
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.