Compromised employee credentials blamed for eBay hack

Cyber-criminals are getting smarter at targeting just the right individuals in order to obtain their business log-in details, and so gain access to corporate treasure troves, so maybe new ways need to be tried to stop them

  • 10 years ago Posted in

Of course, in an ideal world, every user would be changing their every password every week, at least. The trouble is, of course, that the consumption of pieces of paper on which said passwords would surely need to be written would soon consume all the forests of the world. But now some 145 million people are being asked to change at least one password, that used for eBay.

The site has been hit by a cyber-attack that has led to a database containing encrypted passwords, user names, addresses, dates of birth and other details. The attack was based on the hackers compromising the log-in details of an eBay employee – and presumably someone well-placed in the systems administration side of the business so access to such sensitive files would be considered normal.

This seems to have become an increasingly common MO for the hackers, and suggests that most businesses need to find ways to strengthen the defences associated with staff working in sensitive positions, and perhaps even providing them in training so they might recognise weaknesses in their own behaviour (for example, leaving smartphones unattended and with inadequate user authentication routines blithely accepting a new acquaintance as a new `best friend’.

Such options are, of course, the start point for much paranoia, but gaining access to the credentials of such staff can be the start of access to much larger prizes. And sometimes, technology solutions are not the answer and straightforward, common-sense best practices can be.

The eBay strike has, of course, also prompted members of the security community to venture opinions on the event and surrounding issues.

eBay cyberattack based on compromised employee log-in credentials – Vormetric comments

Paul Ayers, VP EMEA at Vormetric, noted that though we are less than half way through the year, he is beginning to lose count of the number of big name companies that have fallen foul of hack attacks like this. 

“A common theme of many of these breaches is that they involve cybercriminals actively seeking to compromise insider accounts (focusing most heavily on privileged users like IT administrators) in order to infiltrate systems and steal data using their credentials.  Because they are exploiting legitimate access, these attacks can be very difficult to spot– indeed the eBay breach occurred as long ago as between late February and early March.  It’s a bit like trying to find a needle in a haystack, except the needle is disguised as a piece of straw. 

“In the case of the breach at eBay, the cybercriminals have targeted a database containing eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth.  Enterprise databases are a rich seam of valuable data for hackers and the route to this data is often via users that have the appropriate access rights and network privileges.  Even though a portion of it was encrypted, it appears a good deal was not and it is this kind of personal information which is often used by criminals to launch further attacks.  That the passwords were encrypted will come as little comfort to the millions of eBay users whose other data may have been accessed.   

 

“The most effective way to practically defend systems against this kind of threat is to protect data at its source and provide access on a true need to know basis, which can be achieved by implementing encryption combined with tight access controls as a method of carefully separating users’ network access from their ability to actually read, access and copy data.  That way, if user accounts are compromised – as seems to be happening on almost a daily basis – there are more effective controls in place to help mitigate the damage that can be done.”

According to Trey Ford, global security strategist at Rapid7, organisations are under considerable pressure to disclose a breach quickly, and this pressure complicates the already considerable challenge of confidently drawing a box around what was compromised, and confirming the attacker’s access and influence has been eliminated, making sure they will not return.

“Two concerns stand out,” he observed. “Passwords will eventually be decrypted, and attackers will now have access to data, making it easier for them to sound legitimate.

Users should be wary of anyone contacting them claiming to be eBay or any other company for that matter. Expect an uptick in phishing, do not click on links in emails, or discuss anything over the phone. Call customer service instead or go directly to websites as you normally would.”

And in the end, the first step for all 145 million eBay users is go and change that password if it is used on other sites – especially if it is their email.

Talent and training partner, mthree, which supports major global tech, banking, and business...
On average, only 48% of digital initiatives meet or exceed business outcome targets, according to...
GPUaaS provides customers on-demand access to powerful accelerated resources for AI, machine...
TMF Group, a leading provider of critical administrative services for global businesses, turned to...
Strengthening its cloud credentials as part of its mission to champion the broader UK tech sector...
Nearly all UK IT managers surveyed (98%) state cloud investment is an organisational priority for...
LetsGetChecked is a global healthcare solutions company that provides the tools to manage health...
Node4 to the rescue.