Tweet
Millions of eBay customers could be at risk of identity theft after hackers stole personal data such as names, email and postal addresses, phone numbers and dates of birth, giving attackers the information they need to break in to other online accounts
By Matthew Sparkes5:47PM BST 21 May 2
http://www.telegraph.co.uk/technolog...ity-theft.html
Millions of eBay customers could be at risk of identity theft after hackers stole personal data from company servers, warn security researchers.
The auction site today asked all 145m of its active users to change their passwords as it emerged that hackers managed to access the names, email and postal addresses, phone numbers and dates of birth of customers. It is feared that those details could now be used to leverage access to users' other online accounts.
Some sites such as online banking services accept a date of birth and address as part of their secure log-in process, while telephone banking services will often request the same details to validate who they are talking to. Having a list of these personal details would make life easier for a malicious attacker.
The eBay hack did not include passwords stored in plain text, but encrypted passwords were stolen. The company was unable to say today how strong that encyption was. However, because the attack took place between late February and early March, it is possible that the thieves have had time to extract them, said David Emm, senior security researcher at Kaspersky Lab.
“It’s difficult to quantify the danger customers may be in following the eBay cyber attack, but of course any personal data in the wrong hands is bad news and it appears that the attackers have gained access to customers' names, email addresses, physical addresses, phone numbers and dates of birth, as well as encrypted passwords,” he said.
“The fact that this attack took place two to three months ago means the attackers have had additional time with which to attempt to decrypt the stolen passwords as well as make use of the other personal data.
“The worrying thing is that many people use a single password for more than one internet site and so if the passwords are compromised, they could be at further risk from cyber-criminal activity. The time lapse here highlights the urgency for customers to change not only their eBay and PayPal passwords but also on any other site that they use the same log-in details for.”
Paul Martini, chief executive at iboss Network Security, said that eBay could be viewed as the "golden goose of hacking targets" because of the vast scale of information it holds.
"The damage could well have already been done, as the time lag between the cyber breach and the discovery of the breach is in the months," he said. "Cyber hackers may not hit the obvious target of siphoning money or goods out of eBay; they may take the personal information gained from the database and target other popular sites."
It is thought that hackers managed to access some eBay employee log-ins which gave access to the company's corporate network. From there the attackers were able to access the database containing users' information and steal the data.
Today eBay said that it is "aggressively investigating the matter" along with law enforcement agencies in the US, because all of the company's servers are based there, and will be using the "best forensic tools" to track down the culprits.
The company will be sending an email to each user today to notify them of the data breach and ask them to change their password. They will also be advised to change their log-in on any other websites if they used the same password there.
It will also be making changes to its website within the next 24 hours that will force users to change their password the next time that they log on.
"We believe we have shut down unauthorised access to our site and have put additional measures in place to enhance our security," it said.
It is not yet clear why there was such a long delay between the attack and users being informed, but eBay says that it first discovered the attack "earlier in May". Since then the company has been performing a "forensic analysis", the Telegraph was told.
By Matthew Sparkes5:47PM BST 21 May 2
http://www.telegraph.co.uk/technolog...ity-theft.html
Millions of eBay customers could be at risk of identity theft after hackers stole personal data from company servers, warn security researchers.
The auction site today asked all 145m of its active users to change their passwords as it emerged that hackers managed to access the names, email and postal addresses, phone numbers and dates of birth of customers. It is feared that those details could now be used to leverage access to users' other online accounts.
Some sites such as online banking services accept a date of birth and address as part of their secure log-in process, while telephone banking services will often request the same details to validate who they are talking to. Having a list of these personal details would make life easier for a malicious attacker.
The eBay hack did not include passwords stored in plain text, but encrypted passwords were stolen. The company was unable to say today how strong that encyption was. However, because the attack took place between late February and early March, it is possible that the thieves have had time to extract them, said David Emm, senior security researcher at Kaspersky Lab.
“It’s difficult to quantify the danger customers may be in following the eBay cyber attack, but of course any personal data in the wrong hands is bad news and it appears that the attackers have gained access to customers' names, email addresses, physical addresses, phone numbers and dates of birth, as well as encrypted passwords,” he said.
“The fact that this attack took place two to three months ago means the attackers have had additional time with which to attempt to decrypt the stolen passwords as well as make use of the other personal data.
“The worrying thing is that many people use a single password for more than one internet site and so if the passwords are compromised, they could be at further risk from cyber-criminal activity. The time lapse here highlights the urgency for customers to change not only their eBay and PayPal passwords but also on any other site that they use the same log-in details for.”
Paul Martini, chief executive at iboss Network Security, said that eBay could be viewed as the "golden goose of hacking targets" because of the vast scale of information it holds.
"The damage could well have already been done, as the time lag between the cyber breach and the discovery of the breach is in the months," he said. "Cyber hackers may not hit the obvious target of siphoning money or goods out of eBay; they may take the personal information gained from the database and target other popular sites."
It is thought that hackers managed to access some eBay employee log-ins which gave access to the company's corporate network. From there the attackers were able to access the database containing users' information and steal the data.
Today eBay said that it is "aggressively investigating the matter" along with law enforcement agencies in the US, because all of the company's servers are based there, and will be using the "best forensic tools" to track down the culprits.
The company will be sending an email to each user today to notify them of the data breach and ask them to change their password. They will also be advised to change their log-in on any other websites if they used the same password there.
It will also be making changes to its website within the next 24 hours that will force users to change their password the next time that they log on.
"We believe we have shut down unauthorised access to our site and have put additional measures in place to enhance our security," it said.
It is not yet clear why there was such a long delay between the attack and users being informed, but eBay says that it first discovered the attack "earlier in May". Since then the company has been performing a "forensic analysis", the Telegraph was told.
Comment