eBay is asking all its users to change their passwords after attackers compromised employee credentials and gained unauthorized access to a database that stored personal information.
The company learned of the unauthorized access in May and, following an investigation, learned that the attack may have occurred sometime between late February and early March, according to a release, which adds that the issue is believed to be resolved.
Details are scarce as the investigation is ongoing, but officials with the popular online auction and shopping website announced on Wednesday that attackers gained unauthorized access to a database containing names, addresses, phone numbers, dates of birth, email addresses and encrypted passwords.
An eBay spokesperson did respond to a SCMagazine.com inquiry into the type of encryption that the company uses, but in a Wednesday email correspondence with SCMagazine.com, Cris Thomas, technical manager with Tenable Network Security, said he wants to know how the passwords were encrypted, and if the data was salted.
“With that information, I can have a realistic idea of what the chances are of my password being brute-forced,” Thomas said. “That way I can determine my level of exposure and be able to offer practical advice to other people who may also be impacted.”
In a Wednesday email correspondence, Ilia Kolochenko, CEO of High-Tech Bridge, told SCMagazine.com that even larger companies are guilty of storing customer passwords simply by using classic MD5 hashes without salt, which could enable decryption.
According to a FAQ posted Wednesday by eBay, financial information, as well as Social Security numbers, Taxpayer Identification numbers and National Identification numbers, were not compromised. Additionally, eBay said its other platforms – PayPal, StubHub, eBay Classifieds, Tradera, GMarket, GumTree or GittiGidiyor – were unaffected.
The company will not speculate on the identity of the attackers as an investigation is ongoing with law enforcement and security experts, and was not specific in how a small number of employees had their credentials compromised, enabling the unauthorized access into eBay's network.
“The typical way these attacks start is through simple tactics like phishing, watering hole attacks, or other avenues for gaining a foothold on an employee machine, or device,” Andrey Dulkin, senior director of cyber innovation with CyberArk, told SCMagazine.com in a Wednesday email correspondence.
Dulkin added, “From this foothold, attackers then typically steal base-level user credentials, which are often privileged or administrative credentials, and begin the cycle of privileged elevation to gain additional access to systems and servers.”
Another more advanced tactic involves the chain usage of zero-day vulnerabilities in popular software and operating systems, Kolochenko added.
All eBay users are being notified of the incident and are being asked to change their encrypted passwords, and, although it was not specifically outlined, eBay said it is adding more security protections to ensure similar incidents do not occur.
Although eBay said it has not seen any increased fraudulent activity on user accounts, security analysts with AppRiver noted that they have blocked tens of thousands of PayPal phishing emails – targeting personal information – in the past few days.
“When major news like this breaks, it opens the door for eBay or PayPal phishing campaigns to be more effective since the general public is familiar with the situation and may not realize they're being duped,” Troy Gill, senior security analyst at AppRiver, said in a statement to SCMagazine.com.