eBay - A Trophy Hack?

The news over the last week confirmed that eBay has been hacked. Media comments suggest that upwards of 145 million users have had their account details, including passwords and personal information, stolen.

According to reports, the story started when a bizarre blog post appeared on PayPal’s website that indicated eBay was asking users to change their passwords. The post was quickly deleted, but not before it had been retweeted dozens of times. The cat was out of the bag and eBay started making the headlines.

What we know

eBay has been hacked! If this isn’t alarming enough, consider that eBay’s user-base is huge and the data that appears to have been stolen contains more than just usernames and passwords. eBay is obviously worried that the breached database contains personal information as well as encrypted passwords.

What we dont yet know

So far eBay has been reasonably tight lipped about the breach. But there are some significant unanswered questions that it needs to address quickly:

  • How much data was stolen, and how easy would it be for the attackers to use that data?
  • How was the data encrypted?
  • How were the passwords encrypted? How strong was the hash function and were the passwords salted too?

The trophy hack

eBay is one the world’s largest websites and given the nature of its business need to retain a significant amount of personal information about its users. In terms of a target for attackers, eBay is a holy grail and a trophy, because a compromise of its databases would be the one-stop-shop attackers need to gain personal and financial information.

What you should do now

The advice in the event of hacks like this is always the same. Change your password. Consider also changing your PayPal password in this case.  Although PayPal appears not to have been affected, I’m betting lots of people use the same password for PayPal as they do for eBay.

Then consider which other sites you may have used that password on. This is yet more proof if you need it why you must never share passwords across websites, but despite the common sense of this many people still do it. Also change and rotate your passwords regularly.

Better still, use a password tool like LastPass (other password tools are available) which will generate a long and complex password for you, then remember the site and password for you.

I’m waiting to see how this incident pans out and I’m expecting we’ll learn a lot from it. I’ll provide more analysis on this blog shortly.