News Security

eBay Database Breached via Employee Credentials

Has urged its users to change their passwords.

eBay has just announced that one of its databases – which contains customer names, encrypted passwords, email addresses, contact details and dates of birth – was hacked earlier this year and has urged its users to change their passwords. According to a post on eBay’s corporate site, cyber attackers had obtained access to “a small number of employee log-in credentials, allowing unauthorised access to eBay’s corporate network.”

“The very fact that just a ‘small number’ of compromised accounts has resulted in such significant access to eBay’s corporate network is extremely concerning. Clearly, there has not been enough attention paid to protecting privileged access accounts, where one small human error or mistake can cause an enterprise-wide security breach,” said Dan Dinnar, Vice President for Asia Pacific, CyberArk.

“These powerful accounts hold the proverbial ‘keys to the kingdom’. As evident here, they have access to vast stores of information, data and control within the organisations’ digital depositories and, as a result, are the primary target for any hacker who is on the ball. Worryingly, once access has been secured, the extent of access means that maximum havoc can be wreaked.”

“Protecting privileged accounts should be top priority for any business, not least because perimeter security is clearly failing. The way in for these malicious attacks is through the inside and, as such, protection needs to start here – at the heart of the organisation.

Monitoring and controlling these powerful accounts every time they’re used is paramount to mitigating the impact of an inside breach. Businesses must start better protecting their assets and critical to this is securing the privileged accounts which form the primary vehicle for so many successful attacks.”

Trend Micro urges eBay users to change passwords owing to the recent breach. Dhanya Thakkar, Managing Director, India & SEA, Trend Micro, says, “If you’re an eBay customer, what this means first and foremost is that you should change your password right away. With the on-going spate of data breaches like this, it’s all the more important to try and use unique passwords for each site. This is where a password manager tool like Trend Micro’s DirectPass can help.

Beyond changing your password, this incident shows again why you may want to look into real time identity theft monitoring as well. Unlike other data breaches we’ve seen, this one includes physical address, telephone number and date of birth, all of which can make it easier for criminals to steal your identity. Just changing your password won’t protect you against this threat,”

Some questions for eBay from Trend Micro
If all this sensitive data was stored in one single database, why was it not encrypted, In fact why would it not be encrypted even across multiple databases? It is noted with chagrin that “all PayPal financial information is encrypted“, still running a two-tier system?

If you’re going to tell that it was encrypted, but the attacker got access to stolen database credentials, why was there no two-factor authentication to access these crown jewels?

Why did it only take compromised credentials to gain access to the corporate network? Again, where’s the multi-factor?

Why has it taken an organisation with the resources of eBay three months to notice that data was being accessed inappropriately not to mention exfiltrated? Where are the breach detection systems?

How was my password “encrypted”? We want details. We want to know which algorithm and how you salted it. We want to know the realistic chances of my password being brute-forced, so we can make an educated assessment of my level of exposure and offer practical advice to others.

Related posts

Interdigital Files Patent Infringement Actions Against Xiaomi in India

enterpriseitworld

IIFL Strengthens Security

enterpriseitworld

Cyberabad Police Commissionerate and SCSC to launch “Sanghamitra”

enterpriseitworld