eBay Password Breach Prompts Security Best Practices Review


The massive password breach still roiling eBay is compelling other firms to conduct a thorough review of employee authentication measures and how to better protect sensitive customer data contained in production databases, experts tell CRN.

An eBay spokesperson told CRN on Wednesday that the company salted and hashed its passwords, two necessary password security measures that experts say makes the cracking process significantly more difficult for criminals. Despite the password protections put in place, security experts are calling on eBay to invalidate the passwords associated with its 145 million user accounts, automatically prompting account holders to change their passwords when they attempt to log into eBay. So far, the firm is only "asking" users to change their passwords.

"If eBay has taken necessary precautions to salt their passwords, the gravity of the breach is less significant than what we saw from the Adobe password breach last year," said Richard Henderson, a security strategist at Fortinet's threat research and response labs in Burnbaby, British Columbia. "It would be better from a security perspective to dump all authenticated sessions and force a password change upon reclogging in, but it's clear that there's a variety of issues that could make it challenging for eBay or any business."

[Related: Stolen eBay Employee Credentials Result In Massive User Password Data Breach]

Reports that the database stolen from the San Jose, Calif.-based company was put up for sale on anonymous text file website Pastebin is being disputed by eBay and some security experts, who say a review of some of the account credentials associated with it may be linked to a similar breach in Malaysia. The Pastebin post was requesting 1.45 Bitcoins (about $750) for the data.Trey Ford, global security strategist at vulnerability management vendor Rapid7, said it is possible the criminal saw an opportunity to use the eBay breach to unload some stolen credentials they have.

"It’s not uncommon for criminals to spot an opportunity to cash in on an attack by offering false credentials for sale," Ford said in an email message. "If eBay chose to force all users to go through a password reset, the stolen passwords would be useless at eBay.com, but people would still need to change them on any other site for which they were used."

The eBay attackers used stolen employee passwords to gain initial access to the company's corporate network, according to a statement issued by the company on Wednesday. The firm didn't say how the passwords were obtained by the attackers, but experts say stolen credentials are consistently used across many data breaches. 

NEXT: IT Security Faces Pushback On Enforcement, Partners Say