eBay, the online auction powerhouse based in San Jose, California, has announced that hackers infiltrated the company’s networks. The intrusion’s damage was mitigated to an extent by the use of data encryption; however, the company is asking all users to change their passwords. Although the extent of the damage is not yet know, it appears that the hackers had access to databases that contained 145 million records.
That figure makes this latest hack the second largest in history, behind Adobe’s 152 million user breach in October 2013.
How Many Out of 145 Million?
The breach occurred sometime between late February and early March of this year, according to reuters.com, when a number of eBay employees were successfully phished by the hackers. Although the hackers did access the records of 145 million users (more specifically, bloomberg.com notes they were “active buyers.” No word on how such buyers are defined, and whether there was a separate set of records for non-active buyers), eBay spokespeople have stated that the online criminals were able to copy only a large part of the database.
Records that were stolen include encrypted passwords, dates of birth, mailing address (so quaint!), and other personal information…but nothing that includes financial data.
Change Your Passwords
Company officials are recommending all users to change their passwords despite the use of encryption on the passwords:
EBay spokeswoman Amanda Miller told Reuters late on Wednesday that those passwords were encrypted and that the company had no reason to believe the hackers had broken the code that scrambled them. [reuters.com]
Does this mean that eBay made sure their password encryption was implemented correctly? We’ve seen in the past how passwords were not salted (to make them even more unique) or were curtailed, making them less secure. Or is this just a legal / PR department jujitsu move that means they literally don’t have a reason to believe that the encryption was broken?
At least one person seems to have tossed his hat in the second camp:
Michael Coates, director of product security with Shape Security, said there is a significant risk that the hackers would unscramble the passwords because typically companies only ask users to change passwords if they believe there is a reasonable chance attackers may be able to do so. [reuters.com]
Perhaps. On the other hand, if you are a responsible adult, what would you say? Don’t change your password? That just seems so irresponsible.
Security is About Layers, Managing Risk
The one thing that people should remember in times like these is that security is not about eliminating risk, it’s about managing it. Despite the numbers involved here, it looks like eBay went about things the right away: they caught and announced the intrusion in a relatively short period, had adequate security measures, and made sure everyone heard about it.
Of course, this will probably not prevent a lawsuit from being filed, but it should be pretty easy for eBay to get them dismissed from court.
Related Articles and Sites: