A massive security breach has happened in late February 2014 and early March 2014 affecting over 145 million users of the known shopping website eBay
eBay is the latest victim of a cyberattack — and if you are one of the 145 million users with an active account, or even one of the many millions more with inactive accounts, you may well be affected.
While eBay is urging users to update their passwords immediately (here’s how to do that), many are left wondering what this means for their data and what they can do to keep it safe.
The hackers have used social engineering to be able to access an eBay’s employee’s information and they have stolen user shipping information, email addresses, telephone numbers, dates of birth and transaction information.
While they could not steal the passwords because they were encrypted, a good hacker can always use the email address and the password hash (encrypted password) to try to hack into other social networks (like Facebook, Twitter, LinkedIn, Instagram) in hope that the eBay account holder has used the same passwords on other websites.
If you are worried that your credit card information stored with eBay might have been compromised, you need not worry as the current compliance regulations ask that if a credit card number is stored, the CV2 number (the number at the back of your credit card) must not be stored, thus making the credit card number just another 16-digit number.
PayPal users’ financial information is stored in an encrypted format on a separate network, eBay noted. The digital payment unit processes 9 million payments a day and serves more than 148 million active user accounts across 193 markets, according to eBay’s website.
What the hackers can do with the data stolen
The eBay database that was compromised isn’t exactly the “crown jewel” of information since it doesn’t contain financial elements, the data gleaned can be combined with other information available across online black markets if the hackers wanted to monetize them. He also said since eBay is “highly trusted,” users might have been more willing to provide the online marketplace with more information.
“It shows that even the best of Internet sites are vulnerable to cyber attacks … you can’t stop this tidal wave,” Ponemon warned.
More than likely the data will be sold on the black internet market to spammers, marketing companies or can be used for identity theft (impersonating another person to the authorities).
What you need to do
Immediately change your eBay password. As a security measure, also change your other online passwords for your personal accounts and make sure you use a complex password (uppercase, lowercase, numbers and special characters like $, %, *, ), (, #,@). Do not user your name or birthday as part of the password.
Do not use the same password twice.
Do not store your new passwords in any type of digital format (Google Docs, Email, Notes, Office Online).
Change your passwords regularly. Make them expire every 72 days if you have this option (Hotmail offers it) and if you run out of ideas, you can always rotate the passwords from one account to the other).
If you start receiving unsolicited emails or emails asking you to change your Facebook Password or banking details, report them as spam immediately and do not click on any links.
Is this security breach related to the HeartBleed virus?
The news comes just a few weeks after an encryption flaw called the Heartbleed bug affected many popular websites and services such as Gmail and Facebook. The bug quietly exposed sensitive account information, such as passwords and credit card numbers, over the past two years and went widely undetected until recently.
The eBay security breach is not software related, it is caused by an employee giving out information (possibly without even knowing what he was doing).
“Big companies have incredibly complex environments, with hundreds of thousands of users and systems they need to monitor, which means there are a lot of potential entry points for attackers to target,” Ford said. “And in the case of big companies, they often are targets for attackers because they have a lot of customers and a lot of valuable data. So attackers that are well-resourced will invest real time in casing a large company to find a way in, which frequently involves manipulating the company’s employees or trusted network in some way.”
About Social Engineering
Or how your information can be used without your knowledge
The hackers broke into eBay’s network by compromising a “small number” of employee login credentials, which allowed the attackers to glean access to eBay’s corporate network. You can learn how by watching this short instructional video about Social Engineering on YouTube: