eBay Password Breach Prompts Security Best Practices Review

The massive password breach still roiling eBay is compelling other firms to conduct a thorough review of employee authentication measures and how to better protect sensitive customer data contained in production databases, experts tell CRN.

An eBay spokesperson told CRN on Wednesday that the company salted and hashed its passwords, two necessary password security measures that experts say makes the cracking process significantly more difficult for criminals. Despite the password protections put in place, security experts are calling on eBay to invalidate the passwords associated with its 145 million user accounts, automatically prompting account holders to change their passwords when they attempt to log into eBay. So far, the firm is only "asking" users to change their passwords.

"If eBay has taken necessary precautions to salt their passwords, the gravity of the breach is less significant than what we saw from the Adobe password breach last year," said Richard Henderson, a security strategist at Fortinet's threat research and response labs in Burnbaby, British Columbia. "It would be better from a security perspective to dump all authenticated sessions and force a password change upon reclogging in, but it's clear that there's a variety of issues that could make it challenging for eBay or any business."

[Related: Stolen eBay Employee Credentials Result In Massive User Password Data Breach ]

Sponsored post

Reports that the database stolen from the San Jose, Calif.-based company was put up for sale on anonymous text file website Pastebin is being disputed by eBay and some security experts, who say a review of some of the account credentials associated with it may be linked to a similar breach in Malaysia. The Pastebin post was requesting 1.45 Bitcoins (about $750) for the data.Trey Ford, global security strategist at vulnerability management vendor Rapid7, said it is possible the criminal saw an opportunity to use the eBay breach to unload some stolen credentials they have.

"It’s not uncommon for criminals to spot an opportunity to cash in on an attack by offering false credentials for sale," Ford said in an email message. " If eBay chose to force all users to go through a password reset, the stolen passwords would be useless at eBay.com, but people would still need to change them on any other site for which they were used."

The eBay attackers used stolen employee passwords to gain initial access to the company's corporate network, according to a statement issued by the company on Wednesday. The firm didn't say how the passwords were obtained by the attackers, but experts say stolen credentials are consistently used across many data breaches.

NEXT: IT Security Faces Pushback On Enforcement, Partners Say

More information is required to truly reveal the security measures that were in place, and being transparent with the public during the breach response is important, said Kenneth Leeser, president of Newton, Mass.-based Kaliber Data Security. Leeser, a risk management specialist, said organizations that attempt to cover up lapses often suffer more significant brand reputation damage than those that come out with all of the facts associated with a breach.

"People want sunshine and insist that the breached organization sheds light with clear and concise information about the matter," Leeser said. "People accept the bad things that happen, but it's how you respond that ultimately determines public opinion in the marketplace."

The breach and a string of similar user account breaches at e-commerce businesses and social networks in 2013 have shed light on how data is protected and accessed, say solution providers. E-commerce startup Living Social revealed a data security breach of its user accounts last year, forcing the firm to respond by resetting the passwords of at least 50 million of its users after it found malware on its internal servers.

Online data storage service Evernote was the victim of a breach impacting some 50 million users. Twitter, Tumblr and Pinterest users also were impacted by a data security breach at third-party customer service provider Zendesk. And millions of usernames and passwords were exposed last year in a breach at social networking site LinkedIn, which didn't adequately protect the user passwords.

Leeser said organizations are increasingly putting mechanisms in place to proactively monitor system logs for employee login attempts that could signal suspicious activity.

Tools are available to automate the process of monitoring system access and addressing or challenging users that show signs of suspicious activity, Leeser said. The software often helps IT teams manage privileges and eliminate inactive employee accounts or temporary access granted to contractors or other third-party partners to systems, he said.

"Monitoring system access is growing increasingly complex, especially with cloud implementations, the use of third-party services and the Bring-Your-Own-Device phenomenon," Leeser said.

When IT implements measures to enforce employee or customer password restrictions, it is often met with pushback from system users or account holders, said Eric Peters, a sales executive at Seattle-based solution provider Trebron Company Inc. There's often a fear, especially among small and midsize businesses, that policy enforcement with authentication and access control will frustrate users and result in lost business or gnarled user productivity, Peters said.

"Talking to customers about security and preaching best practices to them is one thing, but successfully implementing them with the least amount of pain is another," Peters said. "It's often a balancing act for IT directors."

In addition to passwords, the database exposed in the breach contained physical and email addresses, user date of birth, phone numbers and other information, eBay said. The data is valuable to spammers and could make eBay account holders more susceptible to falling for an online scam and phishing attacks, said Cameron Camp, a security researcher at the U.S. arm of Bratislava, Slovakia-based antivirus vendor ESET. Camp said scammers also can send out email messages spoofing eBay in an attempt to get account credential information from users.

Ebay and other businesses often weigh implementing security controls against business interests, a calculation that is based on a variety of factors, including the company's risk tolerance, Camp said. Business interests often trump security, he said.

"The extent of security measures businesses put in place to protect systems containing sensitive data depends on the context of the information you are protecting," Camp said. "There has to be system segregation and context behind the data you are interacting with to put practical security measures in place."