eBay Gum – Sticky times at the world’s biggest tat shop

Everyone knows that eBay has announced the loss of a gazillion customer’s records including customers’ name, encrypted password, email address, physical address, phone number and date of birth.

Not good.

This activity apparently took place between February and March this year and the suggestion from eBay is that the compromise was against a single database, in other words, your credit card data was not compromised, honest.

There are simply too may unanswered questions at the moment which eBay really needs to get down to answering:

Why don’t eBay encrypt all customer data, rather than just passwords? This is not computationally difficult and frankly is best practice
How do eBay know that no further data has been stolen? If this has been going on for a month, what is the real scale?
Yesterday PayPal (owned by eBay) announced and then withdrew a recommendation to change passwords. Why? Were they panicking
Why don’t eBay have multi factor authentication to the IS systems? Again best practice, not expensive, very basic.
How did the breach occur in the first place and what will be done to stop it happening again?
Why didn’t the exfiltration of masses of data trigger an alarm? What systems are in place to detect this?

eBay has recommended that users change their passwords, however they have also stated that the passwords were hashed, salted, (peppered) etc. What they haven’t come clean about is exactly how this crypto was done. For more information about salting hash, have a look here rather than asking Delia, Nigella or Howard Marks: https://crackstation.net/hashing-security.htm

These questions may be answered in due course but the damage is done. Change your eBay password and all other online passwords that are the same and be very vigilant.

If you host customer data and want some solid advice about detecting and managing the security of this data, then please give us a call on 020 7517 3900 or email [email protected]