Oy vey, eBay! Five questions for you…

Image courtesy of Richard Elzey used under Creative Commons

If you’re making a list of high profile data breaches, you now have a new name to add to that list; eBay. In a posting in the “in the news” section of their web site eBay clarified to some extent the scale of the breach, although even the headline seems incapable of telling it like it is.

The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth

Although investigations are of course still ongoing, the current posting indicates that eBay are relatively sure that unauthorised access was only to one database, or certainly the wording of the article presents that view. For now, if you’re an eBay user, you need to change your password there and if you used that password on any other web site, you’re going to need to change it there too (yes, again). Unfortunately changing your name or address is not so easy, that’ll have to stay compromised I’m afraid.

Some questions for you eBay (yes I’m angry, this is MY data which I entrusted to you)

1 – If all this sensitive data was stored in one single database, why was it not encrypted, In fact why would it not be encrypted even across multiple databases? I note with chagrin that “all PayPal financial information is encrypted“, still running a two-tier system?

2 – If you’re going to tell me that it was encrypted, but the attacker got access to stolen database credentials, why was there no two-factor authentication to access these crown jewels?

3 – Why did it only take compromised credentials to gain access to the corporate network? Again, where’s the multi-factor?

4 – Why has it taken an organisation with the resources of eBay three months to notice that data was being accessed inappropriately not to mention exfiltrated? Where are the breach detection systems?

5 – How was my password “encrypted”? I want details.  I want to know which algorithm and how you salted it. I want to know the realistic chances of my password being brute-forced, so I can make an educated assessment of  my level of exposure and offer practical advice to others.

Bonus question for extra points

– How were the initial accounts compromised and what are you going to do to make sure this doesn’t happen again?

Effective security is no longer about designing architecture with the aim of keeping the attacker out permanently, that’s a pipe dream. If they want to get in, they will get in. Effective security is about accepting the reality of compromise, putting systems and processes in place that mean you discover and react in a timely fashion and crucially that you will make it extremely difficult for the attacker to leave with what they came for. How did you score?

You write at the end of your press statement “The same password should never be used across multiple sites or accounts.” I agree. I’m going to end my “statement” with this.

Sensitive data especially that which you hold in trust, should always be encrypted, no exceptions.

Oh and if your email when you send it, offers me a link to click to go and change my password, you’re off my Christmas list, for good.

3 thoughts on “Oy vey, eBay! Five questions for you…

  1. Valerie

    I had one of the first ebay accounts. Recently I kept getting text messages from ebay saying my code is nnnnn over and over, with different numbers each time. I called and said I was worried about a breach. They said it was no big deal and acted like there were no security breaches going on. I closed my ebay account.

  2. Mouse Retherford

    Not only did those clueless twits let their client data be compromised, Their knee-jerk reaction has locked me out of my account that I have had for 14 years (100% positive). I can’t get the semi-trained monkeys to fix it. A quick, easy lesson on how NOT to run a business.

  3. Christian

    Hi Rik,

    Good line of questioning, I wonder if it is too late to suggest before the EU Data Protection Law is ratified that personal accountability should be recognised retrospectively to those individuals who, it appears have blatantly disregarded good practice, note NOT best practice. They could choose to accept a personal fine or leave the industry. A 2 year window for the retropsective period seems fair to me.


Leave a Reply to Valerie Cancel reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.