Ebay gets hacked
May. 25th, 2014 09:55 amand responds in exactly the way they shouldn't have.
First, apparently some employes got spearphished and some employee accounts were compromised, which allowed some of Ebay's 145 million auction accounts to get compromised. So everyone should change their password. Except I have an Ebay account and haven't received an email saying that I should do it. And honestly, since Ebay owns PayPal, it would probably be a good idea to change your password over there, too, we don't know how tightly their networks are mingled.
To quote Krebs, "The company said the information compromised included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. eBay also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users.
http://krebsonsecurity.com/2014/05/ebay-urges-password-changes-after-breach/
Krebs goes on to point out that PayPal now offers two-factor security authentication, which is a dongle (for $30) or a smartphone app (free) to give you a second, changing, password that must also be entered to access your account. The dongle has to be replaced for $30 when the battery eventually fails.
I think I'll go with the smartphone app.
https://www.paypal.com/us/cgi-bin?cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside&bn_r=o
The problem is that Ebay initially posted news of the hack on a part of their web site that most people never see instead of blasting out emails to all of their customers telling them that their accounts may have been compromised. Very bad form. The attack occurred in February or March, so it's taken them almost two months to notify anybody. VERY bad form. It'll be interesting to see how many lawsuits result from this one. There's been no known criminal activity thus far, compared to the Target breech, but still, there should be some corporate head rolling. And no one knows, because Ebay won't tell, as to what encryption system Ebay used to encrypt the passwords, so no one can estimate how long it'll take to break them. My bet is they used double-ROT13. ;-)
http://www.wired.com/2014/05/ebay-demonstrates-how-not-to-respond-to-a-huge-data-breach/
Now's an amusing thing about it: criminals are scamming criminals! Someone's is "selling" Ebay customer lists for 1.453 bitcoins. The problem: the list is fake. The actual thieves may or may not have decrypted the user accounts yet, we don't know, but people have verified that the list for sale is most likely not from Ebay. The reason, as tested by Krebs and others, is that you can have only one email address per account, so they took some of the email addresses and tried to create Ebay accounts with them, and they could.
The same thing happened when LinkedIn was compromised, I missed the news on that one.
http://krebsonsecurity.com/2014/05/expert-fake-ebay-customer-list-is-bitcoin-bait/
This isn't the only security vulnerability for Ebay. A security researcher found that they were vulnerable to cross-site scripting (XSS) attacks, notified Ebay, and was ignored. He recently found that they were still vulnerable to the same exploit. While this was probably not involved in this most recent attack, it's still something that should have been addressed.
http://it.slashdot.org/story/14/05/24/1334243/severe-vulnerability-at-ebays-website
While it's fun to poke fun at major corps like this when they fall down, it's not easy doing web site security. As a case in point, also from Krebs, there's an organization called "the International Information Systems Security Certification Consortium (ISC)² — the non-profit that administers the Certified Information Systems Security Professional (CISSP) exam. It would seem that these people who certify people who want to be viewed as security professionals also had an exploitable web site. One such security professional was renewing his membership to keep his certification active, and noticed that the URL contained the dollar amount of his payment. So he decided to test the system and change the URL to zero, and the system accepted his free renewal. He re-paid his membership, notified ISC^2, and was thanked for his spotting the vulnerability. It has since been fixed.
http://krebsonsecurity.com/2014/05/white-hat-hacker-schools-security-pro-school/
First, apparently some employes got spearphished and some employee accounts were compromised, which allowed some of Ebay's 145 million auction accounts to get compromised. So everyone should change their password. Except I have an Ebay account and haven't received an email saying that I should do it. And honestly, since Ebay owns PayPal, it would probably be a good idea to change your password over there, too, we don't know how tightly their networks are mingled.
To quote Krebs, "The company said the information compromised included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. eBay also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users.
http://krebsonsecurity.com/2014/05/ebay-urges-password-changes-after-breach/
Krebs goes on to point out that PayPal now offers two-factor security authentication, which is a dongle (for $30) or a smartphone app (free) to give you a second, changing, password that must also be entered to access your account. The dongle has to be replaced for $30 when the battery eventually fails.
I think I'll go with the smartphone app.
https://www.paypal.com/us/cgi-bin?cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside&bn_r=o
The problem is that Ebay initially posted news of the hack on a part of their web site that most people never see instead of blasting out emails to all of their customers telling them that their accounts may have been compromised. Very bad form. The attack occurred in February or March, so it's taken them almost two months to notify anybody. VERY bad form. It'll be interesting to see how many lawsuits result from this one. There's been no known criminal activity thus far, compared to the Target breech, but still, there should be some corporate head rolling. And no one knows, because Ebay won't tell, as to what encryption system Ebay used to encrypt the passwords, so no one can estimate how long it'll take to break them. My bet is they used double-ROT13. ;-)
http://www.wired.com/2014/05/ebay-demonstrates-how-not-to-respond-to-a-huge-data-breach/
Now's an amusing thing about it: criminals are scamming criminals! Someone's is "selling" Ebay customer lists for 1.453 bitcoins. The problem: the list is fake. The actual thieves may or may not have decrypted the user accounts yet, we don't know, but people have verified that the list for sale is most likely not from Ebay. The reason, as tested by Krebs and others, is that you can have only one email address per account, so they took some of the email addresses and tried to create Ebay accounts with them, and they could.
The same thing happened when LinkedIn was compromised, I missed the news on that one.
http://krebsonsecurity.com/2014/05/expert-fake-ebay-customer-list-is-bitcoin-bait/
This isn't the only security vulnerability for Ebay. A security researcher found that they were vulnerable to cross-site scripting (XSS) attacks, notified Ebay, and was ignored. He recently found that they were still vulnerable to the same exploit. While this was probably not involved in this most recent attack, it's still something that should have been addressed.
http://it.slashdot.org/story/14/05/24/1334243/severe-vulnerability-at-ebays-website
While it's fun to poke fun at major corps like this when they fall down, it's not easy doing web site security. As a case in point, also from Krebs, there's an organization called "the International Information Systems Security Certification Consortium (ISC)² — the non-profit that administers the Certified Information Systems Security Professional (CISSP) exam. It would seem that these people who certify people who want to be viewed as security professionals also had an exploitable web site. One such security professional was renewing his membership to keep his certification active, and noticed that the URL contained the dollar amount of his payment. So he decided to test the system and change the URL to zero, and the system accepted his free renewal. He re-paid his membership, notified ISC^2, and was thanked for his spotting the vulnerability. It has since been fixed.
http://krebsonsecurity.com/2014/05/white-hat-hacker-schools-security-pro-school/