eBay under fire over handling of data breach

eBay has come under increasing criticism for its handling of the major data breach that exposed personal details of millions of users.

The outrage has grown in the days since the breach was made public, following several posts on Pastebin claiming to offer the stolen data for sale.

This breach demonstrates the importance of preparing for data breaches, says security and privacy lawyer Stewart Room. “Lesson for business: scenario plan so you look slick when hit,” he tweeted.

It took eBay several weeks to detect the intrusion, but users are angry the company delayed a further two weeks after confirming data had been accessed before notifying anyone.

This means attackers had at least two months to either sell the details on underground forums or use them directly to commit fraud and other cyber crime.

eBay claims it had to take time to investigate the scope and nature of the breach before making a public announcement.

The company also said in a statement on its website that no financial details were at risk and that it has seen no evidence of increased fraudulent activity as a result of the security breach.

eBay also came under criticism for being slow to introduce mechanisms to force users to reset passwords. Instead the company is relying on users to take the initiative.

Information Commissioner Christopher Graham has described the breach as “very serious” and urged users of the e-commerce site to be wary of phishing emails claiming to be from eBay.

“The message for business is you've got be better at security,and you've got to be better with our personal data,” he told BBC Radio 4.

eBay claims to be “working hard” to fix things, but told the BBC that protecting users’ information is its first priority and ensuring it deals properly with the “technical challenges” such a situation brings.

"Other steps, including email notification, will follow, and we will ensure all eBay users have changed their passwords over the coming days,” the company said.

But security and privacy commentators alike have said eBay should have been better prepared to notify users as soon as it was aware of the breach and put mechanisms in place to force a password change.

The company has also been criticised for failing to have two-factor authentication for employees after it admitted that attackers compromised employee login details to access the user database.

According to research released by SafeNet, less than 15% of companies have implemented multi-factor authentication for 100% of their employees.

 Multi-factor authentication eliminates the inherent insecurity of static passwords by requiring an additional level of user authentication, such as passcode sent to a mobile phone.

“Given the increasing number of data breaches we are seeing, a combination of strong authentication and data encryption will play an increasingly central role in any organisation’s security strategy,” said  Jason Hart, vice-president of cloud solutions at SafeNet.

The security industry has also criticised eBay for failing to encrypt all customer details and not just passwords.

"We provide different levels of security based on different types of information we're storing and all financial information across all of our business is encrypted," eBay told the BBC.

However, eBay has not provided any details of what encryption was used for the passwords, and, as some security experts point out, not all encryption is equal.

Any organisation that is breached should explain what encryption algorithm it used, and whether or not the passwords were salted and hashed to make it harder for a cracker to brute-force them, said independent security analyst Graham Cluley.

“Unfortunately the general public uses the term ‘encrypted’ a lot, and puts a lot of weight behind the term believing that it means that if something is encrypted it can’t be decrypted by a hacker. But, sadly, that’s often not the case,” he wrote in a blog post.

Cluley said that, when a password is properly salted and hashed, it goes through a one-way process which cannot be easily reversed.

Commenting on a free sample of more than 12,000 passwords supposedly stolen from eBay posted on Pastebin, Trey Ford, global security strategist at Rapid7, said indications are that cracking all the passwords will take a considerable time.

“This is nothing like what we saw when LinkedIn was breached and the stolen credentials were quickly cracked due to only SHA-1 hashing being used for storage,” he said.

Although eBay has made no claims about salting and hashing, and there is no way of verifying if the sample credentials were indeed stolen from eBay, they do appear to have been salted and hashed.

“This credentials set is using PBKDF2 (Password-Based Key Derivation Function 2) SHA-256 hashes, which means they employ a strong hash function and intentionally make cracking them more difficult and slow by individually salting and using a high number of hash iterations.

“The method used can be regarded as the state-of-the-art way to store passwords on web applications. Again though, we don’t know that these are credentials taken from the eBay breach, and no details have come from eBay on how they secure passwords,” he said.

Ford said eBay should invalidate all compromised passwords. “There is a level of friction or frustration to impose by doing this, but a very worthwhile tradeoff in elevating the safety of their customers.

“If eBay chooses to force all users to go through a password reset, the stolen passwords would be useless at eBay, but people would still need to change them on any other site for which they were used,” he said.

More on data breaches

• Target data breach: Why UK business needs to pay attention
• How to mitigate risk associated with a customer's potential data breach
• Infosec 2014: UK data breaches slightly down but cost way up, report shows