The Bankwatch

Tracking the consumer evolution of financial services

eBay – “One of the biggest data breaches in the history of the internet”

When eBay became aware of the data breach that provided hackers access to the user information of 128 million users it heralded one of the largest data breaches to date. This gave the hackers access to the names, addresses, telephone numbers, email addresses and passwords of its 128m active users.

Lessons from the eBay cyber attack | ft.com

The company said it had only become aware of the intrusion two weeks ago. As a result, it is now asking its active users to reset their passwords – aiming to rectify what is probably one of the biggest data breaches in the history of the internet.

The eBay database that hackers accessed also contained no financial information on customers, such as credit card numbers, the company said in a statement.

The breach seems to have begun with hackers gaining access to employee credentials. It is not yet clear how that happened. Was it a hack, an inside job, social engineering or what. eBays own blog post gives us no more information on how the employee credentials were obtained.

What this really speaks to is that the concept of one person having the keys to the kingdom and under a simple username password combination is an out of date concept. Furthermore there needs to be logging and constant vigiligence of access to secure systems all the time.

This from the comments on Krebsonsecurity and if you read past the youthful wording it shows the weak methodologies behind eBays security even at the password level.

So, I changed my ebay acct pwd. Haven’t used it in 6+ months. Contact info is incorrect (old ph# from a job long gone). CC# expired and paypal not even linked.

Ebay uses a pathetic pwd algorithm check. Fails you if you use spaces. I had non-repeat, alpha-numeric, symbol and cases at 30 minimum characters and it said it was weak! It was generated by…1Password (agilebits) and *still* said weak or had white spaces. WTF? …

Written by Colin Henderson

May 22, 2014 at 22:45

Posted in Uncategorized

One Response

Subscribe to comments with RSS.

  1. Sadly, eBay isn’t the only company guilty of weak password practices. When I started using 1Password about a year ago, I systematically changed all my passwords. At that time, I noticed that financial institutions and business tools were among those with the most limiting password requirements, including maximum length less than 16 characters, no punctuation or other non-alphanumeric characters. I expect better from companies that hold so much sensitive data.


Comments are closed.

%d bloggers like this: