How many times this year will I have to change my password? (or Ouch, eBay hacked)

On Wednesday 21 May, eBay announced they had been breached. The latest details indicate that a large part of their 145 million user database has been copied.

eBay is an multinational consumer-to-consumer online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide. In 2012 it reported more than US$175 billion of commerce globally through eBay Marketplaces, PayPal and retail solutions provider GSI.

This makes eBay a red hot target for hackers, not only for the potential rewards but also in terms of kudos from a successful hack. Due to its prime target status, eBay must have been targeted 24/7, 365 days a year by criminal gangs, rival businesses and hackers out to make a point. This means that eBay must have had a robust security policy and a skilled team of network administrators as part of their defences. The PCI SSC emphasise the need for constant alertness and preparedness, with log monitoring a mandatory part of the PCI DSS for merchants with multiple payment channels and for organisations the size of eBay. The PCI SSC has reported time after time that breaches are all too often detected months after the initial breach. According to reports, the breach at eBay was detected in May, but occurred two to three months earlier.

eBay has reported that the hackers got in after obtaining login credentials for “a small number” of employees, allowing them to access eBay’s corporate network.

Until more details come out, we can only speculate about the policies eBay had in place regarding user accounts and the segregation of sensitive data from their general corporate network.

How does this hack compare?

In terms of data breaches, this is a biggie. Here are some other notable breaches:

  • Computer security experts say the biggest such breach was uncovered at software developer Adobe Systems Inc in October 2013, when hackers accessed about 152 million user accounts.
  • The Target Corp breach disclosed in December of last year included some 40 million payment card numbers and another 70 million customer records.
  • The Heartland Payment Systems breach in March 2008 impacted 134 million credit cards, exposed through an SQL injection that installed spyware on Heartland’s data systems.

The advice

eBay gave the following advice this week:“ [We] are asking all eBay users to change their password. This is because of a cyberattack that compromised our eBay user database, which contained your encrypted password.”

For the security savvy user, it will only be the eBay password that needs changing. For the less security conscious it is another reminder that the same password should not be used for multiple accounts as you will need to change all instances of the potentially compromised password.

Follow me on Twitter: @GeraintW