in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Security: eBay Has Data Breach, Asks Users To Change Password

eBay, the online auction powerhouse based in San Jose, California, has announced that hackers infiltrated the company's networks.  The intrusion's damage was mitigated to an extent by the use of data encryption; however, the company is asking all users to change their passwords.  Although the extent of the damage is not yet know, it appears that the hackers had access to databases that contained 145 million records.

That figure makes this latest hack the second largest in history, behind Adobe's 152 million user breach in October 2013.

How Many Out of 145 Million?

The breach occurred sometime between late February and early March of this year, according to reuters.com, when a number of eBay employees were successfully phished by the hackers.  Although the hackers did access the records of 145 million users (more specifically, bloomberg.com notes they were "active buyers."  No word on how such buyers are defined, and whether there was a separate set of records for non-active buyers), eBay spokespeople have stated that the online criminals were able to copy only a large part of the database.

Records that were stolen include encrypted passwords, dates of birth, mailing address (so quaint!), and other personal information...but nothing that includes financial data.

Change Your Passwords

Company officials are recommending all users to change their passwords despite the use of encryption on the passwords:
EBay spokeswoman Amanda Miller told Reuters late on Wednesday that those passwords were encrypted and that the company had no reason to believe the hackers had broken the code that scrambled them. [reuters.com]
Does this mean that eBay made sure their password encryption was implemented correctly?  We've seen in the past how passwords were not salted (to make them even more unique) or were curtailed, making them less secure.  Or is this just a legal / PR department jujitsu move that means they literally don't have a reason to believe that the encryption was broken?

At least one person seems to have tossed his hat in the second camp:
Michael Coates, director of product security with Shape Security, said there is a significant risk that the hackers would unscramble the passwords because typically companies only ask users to change passwords if they believe there is a reasonable chance attackers may be able to do so. [reuters.com]
Perhaps.  On the other hand, if you are a responsible adult, what would you say? Don't change your password?  That just seems so irresponsible.

Security is About Layers, Managing Risk

The one thing that people should remember in times like these is that security is not about eliminating risk, it's about managing it.  Despite the numbers involved here, it looks like eBay went about things the right away: they caught and announced the intrusion in a relatively short period, had adequate security measures, and made sure everyone heard about it.

Of course, this will probably not prevent a lawsuit from being filed, but it should be pretty easy for eBay to get them dismissed from court.

Related Articles and Sites:
http://www.bloomberg.com/news/2014-05-21/ebay-asks-users-to-change-their-passwords-after-cyber-attack.html
http://www.reuters.com/article/2014/05/22/us-ebay-password-idUSBREA4K0B420140522
 
<Previous Next>

HIPAA Mobile Encryption: OCR Director Says Encryption Is Your Best Defense

Data Breach Costs: Maricopa County Community College District Ups Its Breach-Related Costs Again

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.