If you’re making a list of high profile data breaches, you now have a new name to add to that list; eBay. In a posting in the “in the news” section of their web site eBay clarified to some extent the scale of the breach, although even the headline seems incapable of telling it like it is.
“The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth“
Although investigations are of course still ongoing, the current posting indicates that eBay are relatively sure that unauthorised access was only to one database, or certainly the wording of the article presents that view. For now, if you’re an eBay user, you need to change your password there and if you used that password on any other web site, you’re going to need to change it there too (yes, again). Unfortunately changing your name or address is not so easy, that’ll have to stay compromised I’m afraid.
Some questions for you eBay (yes I’m angry, this is MY data which I entrusted to you)
1 – If all this sensitive data was stored in one single database, why was it not encrypted, In fact why would it not be encrypted even across multiple databases? I note with chagrin that “all PayPal financial information is encrypted“, still running a two-tier system?
2 – If you’re going to tell me that it was encrypted, but the attacker got access to stolen database credentials, why was there no two-factor authentication to access these crown jewels?
3 – Why did it only take compromised credentials to gain access to the corporate network? Again, where’s the multi-factor?
4 – Why has it taken an organisation with the resources of eBay three months to notice that data was being accessed inappropriately not to mention exfiltrated? Where are the breach detection systems?
5 – How was my password “encrypted”? I want details. I want to know which algorithm and how you salted it. I want to know the realistic chances of my password being brute-forced, so I can make an educated assessment of my level of exposure and offer practical advice to others.
Bonus question for extra points
– How were the initial accounts compromised and what are you going to do to make sure this doesn’t happen again?
Effective security is no longer about designing architecture with the aim of keeping the attacker out permanently, that’s a pipe dream. If they want to get in, they will get in. Effective security is about accepting the reality of compromise, putting systems and processes in place that mean you discover and react in a timely fashion and crucially that you will make it extremely difficult for the attacker to leave with what they came for. How did you score?
You write at the end of your press statement “The same password should never be used across multiple sites or accounts.” I agree. I’m going to end my “statement” with this.
Sensitive data especially that which you hold in trust, should always be encrypted, no exceptions.
Oh and if your email when you send it, offers me a link to click to go and change my password, you’re off my Christmas list, for good.