Two months ago the online mega-market eBay suffered a grisly security data breach. Information for all of the market’s 145 million buyers could have been accessed. Everything from encrypted passwords to home addresses was at risk. EBay urged all of its users to change their passwords following the breach. The site did say however, that financial information was not included when the database was hacked. The company discovered the breach in the database about two weeks ago and is currently working with law enforcement. They have stated that they have an aggressive ongoing investigation into the matter.
The company said in a statement that “a small number of employees’ credentials were accessed in the cyber-attack which allowed unauthorized access to eBay’s corporate network.” The company stated that there was “no evidence of unauthorized access to any credit card or other financial information, which is stored separately in an encrypted format.” Passwords for PayPal, the online payment company owned by eBay; was not affected by the hacked database but customers were contacted by the company to change their passwords, especially if the same password is used for multiple sites as it will allow hackers to retrieve more information from other databases.
Cyber-attacks seem to be a growing trend as eBay is one of many companies that have been under attack. Late in 2013, the retail chain Target reported a major breach in their security databases that allowed the leak of financial records for millions of customers. In April, AOL email accounts were hacked and used to send out spam mail, according to an AOL Mail report. Avivah Litan of Gartner’s said “cyber-criminals seek out the usernames and passwords along with Social Security and credit card numbers to find out if any of the victims use the same information for their bank accounts.” The cyber-criminal groups behind many of these major database hacks derive out of Eastern Europe. These groups are well organized that sell and distribute stolen information and merchandise around the world.
The two most commonly used ways to ensure password protection are encryption and hashing. Encryption, the easier of the two to break was used by eBay. Anyone with access to the decryption key can access the actual password. Hashing just allows a site to see if the password is correct or not but does not allow access to the plain text of the password.
A security strategist for Rapid 7, Trey Fords said that attackers could use the obtained information from the database and claim to be a representative from the company. He said that users should be cautious of anyone that contacts them claiming to be from eBay or any other company. He urged customers to not click on any links in emails or discuss information over the phone as criminals could be “phishing.” Co-founder and president of the security firm Hy Trust, Eric Chiu, said cyber-attacks are becoming more frequent, and that companies like eBay need to assume that the bad guy is already inside the network. eBay has mailed its customers and assures that they will implement additional security measures to help deter future hacks into their database.
By Melissa Monk