Security alert to all eBay users: Change your passwords now.
That warning was issued Wednesday by eBay, which announced that hackers stole legitimate employee login credentials and used them to access eBay's network and steal a database containing information on 145 million users. The stolen database included personal information on users stored in plaintext format, as well as hashed and salted copies of their eBay passwords.
Here's what's known so far about the breach, how eBay has responded, as well as what users should do and expect in the wake of the breach.
1. Breach undetected for two months
While the breach appears to have occurred in late February or early March -- after attackers stole several employees' login credentials -- the theft and unauthorized use of those credentials wasn't detected until "about two weeks ago," thus triggering an investigation, eBay said in a blog post Wednesday. "Extensive forensics subsequently identified the compromised eBay database."
Having a breach last for at least two months before it's detected isn't unusual. According to a study of 2013 breaches released Wednesday by Trustwave, when a business self-detects a breach, that detection takes place -- on average -- 32 days after the breach occurred. Meanwhile, when an organization learns about the breach from a third party, an average of 108 days, or more than three months, will have elapsed from breach to notification.
2. Unclear: Password encryption strength
One worry, however, is that after having stolen eBay passwords available offline, attackers may have had time to recover them, using next-generation password-cracking systems.
An eBay spokesman didn't immediately respond to an emailed request for more information about exactly how the passwords had been encrypted. That information could help information security experts estimate if -- or for how long -- the stolen passwords might be safe.
To be clear, eBay said there's no indication that the stolen, encrypted password data has been cracked and used by attackers. Likewise, the company said that all financial information, including that pertaining to subsidiary PayPal, was stored separately. "PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted."
3. Public notification: eBay stumbled
eBay arguably fumbled its public breach notification after Engadget reported seeing a half-finished PayPal blog post Wednesday warning people to change their eBay passwords. But after that news broke, and eBay posted an official statement on its website, it still took the online auction business more than 24 hours to send an email alert to all of its users.
In the meantime, the password-reset advisory remained noticeably absent from the online auction site's homepage or login screen for some hours, leading security expert Graham Cluley to ask why eBay seemed to be "burying news of its security breach from its millions of Web visitors."
When the company eventually did put a warning on its homepage, it linked to a static warning message, leaving users to navigate multiple drop-down menus, and execute at least a half-dozen clicks, to try and locate the password reset page.
What would have been simpler is if eBay's website notice included a link to its password-reset page.
4. Beware phishing attacks
Going forward, expect online attackers to begin quickly capitalizing on the eBay password reset warning. "When major news like this breaks, it opens the door for eBay or PayPal phishing campaigns to be more effective, since the general public is familiar with the situation and may not realize they're being duped," said Troy Gill, senior security analyst at AppRiver, in an emailed statement.
Longstanding advice about never clicking on links in emails -- lest they're a phishing attack in disguise -- applies here. "To be safe, users should not click on links in emails about eBay security or password changes; instead, they should type the eBay URL directly into their browsers and log into the site that way to prevent disclosing their credentials to spoofed, malicious copies of the eBay site," said Dwayne Melancon, CTO of Tripwire, in an email.
Also beware eBay's actual attackers taking stolen plaintext data -- which included eBay users' names, email addresses, and birth dates -- to fashion more realistic-looking fake messages.
5. eBay fails to practice tough love
In the wake of the breach, one security step that eBay didn't take, but should have -- in the eyes of many security experts -- was to forcibly
expire all users' passwords so they had to be reset. "eBay should programmatically force a reset of all passwords because just asking nicely will be ignored by too many," says TK Keanini, CTO of Lancope, in an emailed statement. "They also should offer a two-factor authentication method as others have done. All of these things help raise the cost to attackers."
The need to force password resets is reinforced by the results of a new survey conducted by antivirus firm Avast. "Only 40% of the respondents who were aware of Heartbleed said they had actually changed their passwords," according to an Avast blog post about the survey, which was released this week. "This number closely matches Pew's Heartbleed report which found that 39% of Internet users have changed their passwords or canceled accounts."
If the Heartbleed password-change rate holds true for eBay's user base, that would mean, of the 145 million people whose encrypted password data was reportedly stolen, 87 million would still be vulnerable to having their accounts compromised if attackers successfully decrypt the stolen passwords.
6. Expect new two-factor authentication options
People who want better eBay site security can tap two-factor authentication, in the form of a PayPal Security Key (as the name implies, it also works for PayPal), which is a credit-card-sized device that generates random, temporary security codes that are used as a second factor together with a password, for authentication.
But the card will cost you a one-time fee of $30. "There's no monthly service fee or additional cost," according to eBay. "Replacement keys are the same price."
Alternately, the PayPal Security Key can be used as a free service via a mobile phone, with the one-time codes being sent via SMS, for example, as sites such as Dropbox and Twitter also do.
Going forward, it's likely that eBay might add mobile apps to its list of two-factor authentication options. In its security advisory, for example, eBay previewed unspecified, new possibilities, saying that "we are looking at other ways to strengthen security on eBay" and noting that "in the coming days and weeks we may be introducing new security features."
7. Breach lesson: Employ password managers, or else
Tapping two-factor authentication, where available -- and when it works well -- is an excellent security step. But the approach still relies on the strength of your password, and no password is ever completely safe.
Accordingly, people should never reuse their passwords. That way, a breach at a site such as eBay (which, although it enjoys an excellent security reputation, was still hacked) won't allow attackers to reuse stolen passwords on other sites. "Each account, especially accounts containing personal information and credit card details, should have its own password," says Ondrej Vlcek, COO at Avast, in an email. "In a situation like this you really don't want your PayPal and eBay accounts to have the same passwords."
Practically speaking, the only way to securely track a large amount of online account details and related access credentials is to use a password manager. While some people worry that storing all of the sensitive information in one location will create a single point of failure, numerous information security experts argue that because password managers can themselves be secured with a complex password, the benefits of being able to maintain unique, strong passwords for every online account you use far outweigh any potential security downsides.
With the rise of mobile devices and synchronization capabilities, furthermore, people can keep secure copies of their passwords on their smartphones, tablets, PCs, or even on secure websites, for easy retrieval no matter where they are.Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio