eBay – “One of the biggest data breaches in the history of the internet”
When eBay became aware of the data breach that provided hackers access to the user information of 128 million users it heralded one of the largest data breaches to date. This gave the hackers access to the names, addresses, telephone numbers, email addresses and passwords of its 128m active users.
Lessons from the eBay cyber attack | ft.com
The company said it had only become aware of the intrusion two weeks ago. As a result, it is now asking its active users to reset their passwords – aiming to rectify what is probably one of the biggest data breaches in the history of the internet.
The eBay database that hackers accessed also contained no financial information on customers, such as credit card numbers, the company said in a statement.
The breach seems to have begun with hackers gaining access to employee credentials. It is not yet clear how that happened. Was it a hack, an inside job, social engineering or what. eBays own blog post gives us no more information on how the employee credentials were obtained.
What this really speaks to is that the concept of one person having the keys to the kingdom and under a simple username password combination is an out of date concept. Furthermore there needs to be logging and constant vigiligence of access to secure systems all the time.
This from the comments on Krebsonsecurity and if you read past the youthful wording it shows the weak methodologies behind eBays security even at the password level.
So, I changed my ebay acct pwd. Haven’t used it in 6+ months. Contact info is incorrect (old ph# from a job long gone). CC# expired and paypal not even linked.
Ebay uses a pathetic pwd algorithm check. Fails you if you use spaces. I had non-repeat, alpha-numeric, symbol and cases at 30 minimum characters and it said it was weak! It was generated by…1Password (agilebits) and *still* said weak or had white spaces. WTF? …