Stolen eBay Employee Credentials Result In Massive User Password Data Breach


Online marketplace eBay is urging its users to change their passwords, following a data breach that exposed the user account information of its 145 million users, including their encrypted passwords.

The San Jose, Calif.-based company said credit or debit cards were stored in a separate system and not exposed in the breach. But in addition to the encrypted passwords, the compromised database contained physical and email addresses, phone numbers and dates of birth.

"Our customers are our highest priority and to ensure they continue to have a safe, secure and trusted experience on eBay, we will be asking all eBay users to change their passwords," eBay spokesperson Kari Ramirez told CRN, adding that all eBay users are being notified to change their account passwords. "The encrypted passwords were salted and hashed, and we have no evidence that the encryption on the passwords have been broken." 

[Related: Top 10 Password Data Breaches Evoke Urgency For Stronger Credentials]

Attackers gained access to the company's corporate network by stealing a "small number" of employee log-in credentials, according to an eBay statement issued Wednesday. The database was compromised between late February and early March, the company said.

"The compromised employee log-in credentials were first detected about two weeks ago," according to the statement. "Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today."

In addition, the company said it has no evidence of unauthorized access or compromises to personal or financial information for users of PayPal, which is stored separately on a secure network and with all financial information encrypted. Other sites operated by eBay Marketplaces, such as StubHub, eBay Classifieds, Tradera, GMarket, GumTree or GittiGidiyor also were not impacted by the breach, the company said. 

Experts said the the risk of an attacker successfully cracking the exposed passwords is greatly reduced when the credentials are protected using both hashing and salting techniques, the mechanism eBay said it had put in place to protect its user passwords.

In addition to obfuscating passwords using encryption, salting applies to a predetermined number, a key phrase or word to every user password, making it significantly more difficult for criminals to use automated tools to crack them, said Rob Kraus, director of research at Omaha, Neb.-based managed security services provider Solutionary, a subsidiary of NTT Group.

"Password cracking tools are getting increasingly more powerful," Kraus said. "If an attacker gets in and dumps the user database, the additional salting can make it a challenge to crack them." 

The security incident at eBay marks one of the largest user account data breaches in recent memory, solution providers said, and highlights the persistent problem businesses have of safeguarding user passwords and monitoring employee password use.

Stolen account credentials is one of the most common ways criminals infiltrate corporate networks, according to an analysis of a decade worth of data breach and security incident data analyzed by Verizon. A string of account credential data breaches started with LinkedIn at the end of 2012 into 2013 with the massive Adobe Systems breach, and security lapses at online data storage service Evernote and LivingSocial, which impacted tens of millions of users. LinkedIn acknowledged at the time that the more than 6 million user passwords exposed in its breach, while encrypted, did not have the additional salting protection, prompting security experts to advocate for the additional mechanism.

Once an attacker can gain access to a corporate network using stolen employee credentials, they use system privileges and quickly pivot to systems containing sensitive data, said Solutionary's Kraus.

"Once you've got a foot in the network, the next step is privilege escalation, and you can laterally move throughout the organization," Kraus said. "Attackers are getting at the crown jewels because businesses often poorly plan and train for incident response." 

Michael Goldstein, president and CEO of LAN Infotech, a Fort Lauderdale, Fla.-based solution provider and eBay user, updated his password immediately upon hearing about the breach. Goldstein said he noticed a recent increase of spam messages associated with his account. In addition to personally using it, Goldstein said resellers have used eBay to track down and buy obscure or legacy server parts needed for clients.

"Password stealing is a long-standing problem and will probably continue to be until an alternative is broadly adopted," Goldstein said. "When people complain about changing their passwords, I tell them to invest in an encrypted password manager to improve their security posture." 

PUBLISHED MAY 21, 2014