Image: Dr. Cloud/Shutterstock
Online auction giant eBay was hacked back in February, and is just now telling all users to change their passwords. According to the company, it only learned about the breach just two weeks ago, indicating the attackers were skilled in evading detection systems at one of the most high-profile Internet companies in the world.
The only piece of good news is that no financial data was stolen, but amidst the compromised information were users’ encrypted passwords, home addresses, email addresses, phone numbers and dates of birth. Ebay wouldn’t tell me what level of encryption was wrapped around those passwords, so it’s difficult to tell how well protected users credentials were, and still are.
Ebay’s comments on the breach noted the perpetrators were sophisticated enough to get hold of employee logins, which allowed them access to the eBay corporate network. That would indicate internal data may have been compromised too, but eBay didn’t offer anything outside of its official website post.
“Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers,” the company, which also owns PayPal, said.
“The compromised employee login credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today," the announcement continued. “The company said it has seen no indication of increased fraudulent account activity on eBay. The company also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users.”
There are now big questions around how eBay was protecting user information, said Norwegian security consultant Per Thorsheim.
“If you’re storing the password in a really good way, with a hash, I don’t have to get off my plane to change my password. But if it’s just encrypted I have to."
Encryption, where data is protected with a digital lock and key (or a two-way function, in security speak), is not an effective way to protect passwords when compared to hashing (a one-way function that turns the password into garbled nonsense with no key to turn it back). Thorsheim told me he was concerned to hear eBay say it was using regular encryption, rather than hashing, as in the case of Adobe, which was hacked last year and was criticised for using weak encryption methods.
“If you’re storing the password in a really good way, with a hash, I don’t have to get off my plane to change my password. But if it’s just encrypted I have to,” he said, as he was about to board a flight.
But it’s likely some of those compromised passwords have been exposed already, as the hackers have had over two months to brute force the protection around the credentials, Thorsheim added.
Such attacks see programs taking repeated guesses at how algorithms have changed the passwords into garbled nonsense, which will uncover the plain text information. Where simple passwords are used, hackers will already have knowledge of how algorithms have morphed them into garble, making them extremely simple to expose.
“[Even] if the passwords were stored using a hash algorithm, no matter what algorithm was used, some of the passwords would have been cracked by now, as some people are using crappy passwords on eBay as they do on any other site,” Thorsheim added.
Where “salts” are used, adding random data as an input to the hashing process, password cracking can be made that much more difficult for hackers. Again, eBay has not specified whether this was done.
Security experts have also queried why eBay had not encrypted personal information in the database, like email and physical addresses. Thorsheim expressed concern such information will now be used to scam people worried about the breach.
“If the scammers haven’t already, they will soon send out emails pretending to be eBay asking people to change their passwords. That’s just one of the things we need to warn people about,” Thorsheim added.
Cal Leeming, an IT consultant and ex-hacker who was convicted in 2006 for using stolen credit cards to buy items before selling them on eBay, said the same old security problems continue to haunt the online giant.
“Back when I was doing it, things were much the same,” he told me. “At the end of the day, it all comes down to the same things: vulnerabilities and weaknesses."
“In many ways the industry has made huge leaps forward in technology, but we still have the same old problems… the majority of the time, it’s because someone somewhere didn’t do their job right," he said.