backtop


Print 36 comment(s) - last by Indianapolis.. on May 25 at 10:12 PM

eBay says that cyberattackers infiltrated its corporate network

It seems as though no company is immune to cyberattackers, with eBay becoming the latest company to crack under pressure. The company reports that a “small number” of employee log-in credentials were compromised, allowing attackers to access a database comprised of encrypted passwords and non-financial data.
 
eBay will begin contacting its users later today to urge them to change their passwords.
 
It should be noted that while eBay first noticed that log-in credentials were compromised two weeks ago, its corporate network was actually infiltrated between late March and early April.  According to eBay, information visible to the attackers included “eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth.”
 
However, eBay is quick to point out that financial information and “confidential personal information” were not accessed by the cyberattackers.  
 
eBay subsidiary PayPal was not affected by this breach, so those users account should be safe… for now.

Source: eBay via BusinessWire



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Confidential personal information
By wookie1 on 5/21/2014 11:56:23 AM , Rating: 3
They say:
“eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth.” And then that no confidential personal information was compromised. What is it that they consider confidential? A name, address, and date of birth can grant someone access to pretty much anything.




RE: Confidential personal information
By bug77 on 5/21/2014 12:44:11 PM , Rating: 3
If you really think about, that is not confidential information. Most of it is available in a phone book.
Your password or CC numbers, those are confidential.


RE: Confidential personal information
By Da W on 5/21/2014 1:51:43 PM , Rating: 3
Done!
New password is #@?#E$&%?TGD8tD?W%AS*DT?7 now.


RE: Confidential personal information
By marvdmartian on 5/21/2014 2:19:23 PM , Rating: 2
Well, that's probably better than the hundred thousand eBay users, who will change their password from "1qazZAQ!", to "2wsxXSW@"!!


RE: Confidential personal information
By LSUJester on 5/21/2014 4:35:25 PM , Rating: 3
I'll change mine from EbaySite1! over to EbaySite2@. Those hackers will never get me!


By Dorkyman on 5/22/2014 2:01:20 AM , Rating: 4
Just changed mine from "password" to "Password." I feel pretty good about it.


By marvdmartian on 5/23/2014 7:34:17 AM , Rating: 2
Funny, getting knocked down to a 1 on my original comment. Guess I gave away too many people's new password! LOL


By inperfectdarkness on 5/22/2014 6:41:35 AM , Rating: 2
"Kyle$MomsAB1gF@B1tch"


RE: Confidential personal information
By inperfectdarkness on 5/22/2014 6:42:57 AM , Rating: 2
I'm just hoping it was limited to Ebay. If they got Paypal data, it could be a HUGE CF.


RE: Confidential personal information
By inperfectdarkness on 5/22/2014 6:43:45 AM , Rating: 2
...in fact, that's why I've INTENTIONALLY never linked the two. I have to manually log into PP each time I buy something.


RE: Confidential personal information
By FITCamaro on 5/22/2014 9:02:01 AM , Rating: 2
Same. But I finally deleted my Paypal account yesterday.


RE: Confidential personal information
By Piiman on 5/24/2014 8:11:39 AM , Rating: 2
You were able to delete a PayPal account? How?


By Indianapolis on 5/25/2014 10:12:34 PM , Rating: 2
It's not easy, but it involves Frisbees and motorcycles.


i don't even know my password...
By sixteenornumber on 5/21/2014 10:08:22 AM , Rating: 2
"Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network..." -http://www.ebayinc.com/in_the_news/story/ebay-inc-...

not surprising but I'm really interested to hear who what behind the attack. any guesses?




By sixteenornumber on 5/21/2014 10:13:12 AM , Rating: 2
bad copy pasta and can't edit. pay no attention to that link.


By Argon18 on 5/21/2014 11:32:48 AM , Rating: 2
China, Russia, who else?


Rather long delay...
By bsim50 on 5/21/2014 1:01:14 PM , Rating: 2
What doesn't surprise me is that this "was compromised between late February and early March" and yet they've only just got around to informing people in late May...




related?
By tamalero on 5/21/2014 5:23:32 PM , Rating: 2
Wondering, was this breach related to the Heartbleed vulnerability or these corpotate guys's credentials fell to an usual dictionary-brute forced attack?




biometrics anyone?
By Mike Acker on 5/22/2014 7:33:51 AM , Rating: 2
just think: if you were using a biometric ID such as a thumbprint or iris scan: you could not change your password

biometrics are an effort to stamp out anonyminity and have nothing to do with security.

for security you must protect the software first before there can be any discussion of protecting data.




The more reason to have password safe software
By jamdev12 on 5/21/14, Rating: -1
RE: The more reason to have password safe software
By Arkive on 5/21/2014 10:46:30 AM , Rating: 2

Passwords in general are terrible. I don't understand why any internal network of the size of eBay's doesn't use a token-based system for login (ie. smart card with a PIN). It creates a much shorter, easier to remember password, doesn't have to be changed, and cannot be compromised without possessing the token in hand.


By ImEmmittSmith on 5/21/2014 10:52:16 AM , Rating: 1
If the cyber attackers get access to the encrypted password, then it doesn't matter how long or complicated your password is because they have it. Kind of defeats the purpose of having a long complex password!


By nafhan on 5/21/2014 11:08:38 AM , Rating: 2
quote:
If the cyber attackers get access to the encrypted password then it doesn't matter how long or complicated your password is
Actually, that's exactly when having a complex password is helpful! If you could be certain no one would ever get a hold of the encrypted password you wouldn't even need to worry about encrypting it!


RE: The more reason to have password safe software
By bug77 on 5/21/2014 11:11:50 AM , Rating: 2
The encrypted password is a (hopefully salted) hash (usually MD5 or SHA) that you can't actually use to authenticate anywhere.


RE: The more reason to have password safe software
By tayb on 5/21/2014 12:27:49 PM , Rating: 1
That is incorrect. A login mechanism simply compares the hashed password stored in the database to the hashed password you typed. If they match, you login. If you have the hashed password from the database you can gain access.

Further, the hashed password can be taken offline and cracked to obtain the plain text. This is potentially time consuming but it's happening offline so that doesn't really matter. The only thing that really alters the time to crack a password is the character length of the password.

There is no way to truly secure a system with passwords alone.


By bug77 on 5/21/2014 12:41:38 PM , Rating: 3
That's nice and everything, except one does not types hashed passwords. One needs the plain text one.
Like you say, it can be cracked offline, but I don't know of any high profile incident where properly salted password were cracked. Unsalted hashes on the other hand are pretty easy to defeat with an available dictionary to assist.


By Jerret on 5/21/2014 4:36:34 PM , Rating: 3
eBay does support security tokens. Login, go to My Account -> Personal Information and you'll see the link near the bottom of the page, or just go here: https://signin.ebay.com/ws/eBayISAPI.dll?ActivateS...

For those of you without a physical token, you can install the Symantec Validation and ID Protection client on your smartphone for free. Just search for 'VIP Access' in your app store.


By tayb on 5/21/2014 10:51:05 AM , Rating: 2
Unnecessary. Just implement two factor authentication.


By FITCamaro on 5/21/2014 1:44:23 PM , Rating: 2
I started using 1Password from Agile Bits after seeing it on a coworkers computer. I'm really liking it so far. And you can back up your info to Dropbox. Sure that can get hacked, but then you just change all the passwords saved and no harm done. Unless they steal your laptop, it doesn't matter if they find out the password you use to unlock the software. Unless they can constantly steal your dropbox password anyway.


By AmbroseAthan on 5/21/2014 4:54:01 PM , Rating: 4
By FITCamaro on 5/22/2014 9:01:13 AM , Rating: 2
Lol. Awesome.


By Monkey's Uncle on 5/22/2014 2:35:46 PM , Rating: 1
Here is a simple SHA-1 hash for a password:

5B2440A5C249D64EBB0E42069492D93E0BB9E57E

I won't give you the password itself, but I will give you the scheme used (plain SHA-1) and the hashed value.

I challenge anybody reading this post to turn that back into the original password.

Hashes are the norm for most websites and servers. You grab theri database, that is all you will get. You won't get 'clear' passwords - especially from someone like ebay.

There is a reason for that -- if you use sensible passwords, you can't decode them. To prove it, I dare anyone here to try and crack the hash one in this post.


By Hellfire27 on 5/22/2014 6:59:40 PM , Rating: 2
I'm sorry Mr. Uncle that isn't quite correct. Through the use of Rainbow Tables you can generate a password that has the same hash value. It doesn't have to be the original password, just one that has the same hash value. Once you have that password the database won't know or care if it is the correct one. Sure, it takes time, but it can be done.


By Monkey's Uncle on 5/24/2014 7:24:44 PM , Rating: 2
Give it a try. I think you would end up old & grey by the time you find a password that generates that same hash - even with rainbow tables. By that time, the whole idea of using hashes will be replaced by something even better ;)


By FITCamaro on 5/23/2014 8:58:58 AM , Rating: 2
Except in a few cases where passwords were stored in plain text as I believe was the case in the Playstation hack.


By Piiman on 5/24/2014 8:13:53 AM , Rating: 1
They do but that doesn't stop lazy employees. Believe me I know.


"If you mod me down, I will become more insightful than you can possibly imagine." -- Slashdot














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki