May 21, 2014

eBay Hacked: Need-to-Know Details for Protection

In today’s Whiteboard Wednesday, Chris Kirsch, Senior Product Marketing Manager at Rapid7 will discuss the latest eBay hack which was announced on May 21st.

Watch this video to learn how and why this happened, how this affects you and your company, and see what you can do to protect yourself.

Want to get a better view of today's whiteboard?

Zoom in on the image.

Read Video Transcript

Hello and welcome to this Rapid7 Whiteboard Wednesday on a very topical subject. We’ve just heard news that eBay was breached and some key credentials for users were disclosed.

So we’d like to help you understand what happened, how this impacts you and also what are the things that you can do to protect you and your company right now. So first of all, let’s look at the facts, and there are very few facts out there right now. eBay got hacked in late February/early March, they announced it today that the following things were breached; user names, email addresses of eBay users, encrypted passwords (we have no information on what kind of encryption was used), physical addresses, so that would be delivery address, date of birth and phone number. They were very specific that no credit card data, financial data or PayPal logins were breached at this point.

So they also detected no fraudulent account activity so that is a good sign. Now let’s have a look at how this breach happened. First of all, a few key employees had their credentials breached, and this really led to the whole thing snowballing and the user database being compromised. If we look at kind of the industry data and the Verizon breach report, credentials are the number one attack vector for breaches, they’ve risen from number three. They’re also the number three most traded and they’ve gone up in value, credentials are now traded at more dollar value than credit cards on the black market, especially after the Target breach, when a lot of credit card data was dumped on the market.

It also shows that detection of these kind of attacks happen in weeks or months, whereas compromises are in seconds or minutes. So it’s really interesting that the Verizon data breach report and the data we know about data breach kind of aligns with this. Now how does this impact me and my company? Let’s talks about you first. First of all, there could be eBay fraud if the passwords are decrypted. So here, that means people could order in your name. Secondly, hackers could use your user name and password or your email address and password on third party sites. Think about PayPal, Amazon, some other sites that they could get access to.

One thing that I would like to pay special attention to are email accounts, because your email accounts contain does not only contain personal information, they’re also what you use for resetting passwords from third party sites. If you trigger password reset, they send you a link and ask you to click on that, or send you a new password.

So these are really important, I can’t underline them enough. Password reset questions; you all know that school mascot, date of birth kind of questions, think about what this means with the information up here. You have the physical address, date of birth and phone number, this could all be used to help answer password reset questions, maybe in combination with a little online research and social media research, and also think about identity theft. People could impersonate you, knowing a lot of this information.

For your company, it could mean that your system could be breached because of shared passwords, where users are using the same password on eBay as on your company systems. You could also receive much more legitimate phishing emails because they can now include user names, names, physical addresses, date of birth, phone numbers, like a really rich information email that looks completely legitimate, and that is actually a phishing email. With this information, your company could also get social-engineered. So think about IT helpdesk, think about HR, make them aware that this might be coming, be extra-vigilant.

What you could be doing now? Well, for yourself; change your eBay password, that’s kind of the obvious one. Also change all shared passwords that you’re using on the other sites, anywhere that uses the same password as eBay and use a password manager, such as 1Password, LastPass, KeePass, there’s a lot out there. And be vigilant for realistic-looking phishing, emails and ID theft. Second thing; for your company, if I were a CSO, I would now inform my users to say, “Hey, eBay got breached, this is what it means, here are the things you should do.” You’ll look like the security hero because you’re not only protecting the company information, but also their personal information.

And then also enforce strong passwords, 12-characters, you know the drill and then, monitor user activities and anomalies on the network, Rapid7 has products that can help you there, but there are others in the market as well. And yeah, so if you’re interested in taking this further, we have a blogpost out on our Rapid7 blog that also includes a little template of a foreign email that you can send out to user base. I hope you have found this useful, and we’ll see you next week.

Learn More

Read this blog post for a more detailed explanation of the eBay hacks

Get the Details

Free UserInsight Trial

Start detecting user-based attacks

Download Now