Wednesday, May 21, 2014

Ebay urges users to reset passwords after cyberattack

E

bay's announcement that a database holding the personal details of users – potentially all 223 million worldwide – was hacked raises a number of serious questions.

It's the biggest reported hack ever in terms of the number of people affected, but does not affect financial data, which is stored separately.

Q: Do I need to change my eBay password?

A: Yes. eBay is recommending this to all users.

Q: But I just changed it a few weeks ago when all the Heartbleed stuff was happening. Do I really need to?

A: eBay says that it discovered the hack about two weeks ago, and that it happened between "late February and early March". If you haven't changed your password since then, you should.

Q: What data was stolen?

A: eBays says that the database with users' customer names, encrypted password, email address, physical address, phone number and date of birth was breached. It hasn't said how much of that data was copied. It's best to assume that it all was.

Q: Who was behind it?

A: eBay hasn't said, and it's unlikely that any group would claim responsibility. But the fact that the hackers targeted eBay and its customer database suggests that they were commercially oriented, rather than an Anonymous-style "hacktivist" group.

Q: What could someone do with that data?

A: That varies from country to country, but enterprising villains could certainly use it for online identity theft.

Q: Was any financial data stolen?

A: eBay says not; PayPal, its payment arm, says it was not affected, and that all its information is encrypted.


Q: Should I change my PayPal password?

A: If you want to be ultra-cautious, yes, but make it different from your eBay one.


Q: What's the biggest risk from this hack?

A: The most obvious one is "phishing" emails pretending to be from eBay asking you to reset your password, but which direct you to a fake site that will steal your password. The problem is that eBay is going to be sending out lots of emails asking people to change their password.

Normally, you can recognise a real eBay email because it contains your username in the subject line – which run-of-the-mill phishing attempts don't have. (Those tend to say something like "eBay user, change your password!" and should always be ignored.)

But if hackers have got hold of a database with your email address and username (aka customer name), then they can format an email which will look just like the real thing – but lead you to a fake site that looks like eBay but will capture your login details.

To avoid this, don't follow any links in emails that seem to come from eBay. Type the site's address into your browser. Advise your friends (and relatives) about this too: if eBay's username database has leaked to any extent, all those people are very vulnerable to phishing.

Q: Do I have to change my "secret question", which is used if I can't remember my password?

A: No. eBay says that this was stored separately.

Q: What method was used to encrypt the passwords, and how hard will they be to decrypt?


A: eBay hasn't yet answered our question on this. Internet companies use increasingly sophisticated methods to encrypt passwords; the idea is that your password should be transformed in a one-way process into a string of near-random characters. When you (or someone else) enters a password for the account, it undergoes the same processing, and the resulting strings of characters are compared. If they're the same, the password entry is accepted; if not, it's rejected.


Q: Why did eBay wait two weeks before telling everyone of a break-in that happened in February?

A: The company hasn't explained the timeline, but security breaches of this type typically take some time first to detect, then to determine their extent, and then to close against further hacks. It's only then that most companies announce they've been affected.

Q: Will eBay be introducing two-factor authentication (where you have to enter a code from a mobile device or previously printed list in order to log in from a previously unused device)?

A: We have asked, but so far haven't received an answer. The large email suppliers (Google, Microsoft, Yahoo, Apple) all offer "2FA" security, which ensures that even if someone steals your password they can't log in from a new device.