The past few months have been tough where security is concerned. First Target was hit by a massive security breach throughout their chain of retail stores. Then the disturbing reports about the extensive Heartbleed security threat came to light. In April, online portal AOL reported that hackers had stolen email addresses, passwords, contact lists and other information from a large number of its 120 million users.
This time around the intrusion occurred through one of the biggest online auction and retail institutions in the world – eBay. Compromises in the customer and user database for eBay took place in February and March, but the breach was only discovered in early May. As a result of the security violation eBay is recommending all of its 145 million active buyers and sellers to change their passwords immediately.
Financial Information Safe – for Now
Amanda Miller, a spokeswoman for the company, told The New York Times on May 21 that there was no indication that any financial information such as credit card numbers or PayPal account information was compromised. There have also been no reports to date of unauthorized activity related to the security breach on eBay. There is also no indication that any information about PayPal account holders was compromised in any way. (PayPal is owned by eBay.)
Alan Marks, senior vice president of global communications for eBay stated to The Times that users’ passwords were encrypted and camouflaged through a technique called hashing. EBay Chief Technology Officer Mark Carges explained to The Times that users’ passwords were further protected before undergoing encryption by the addition of several random digits in a procedure known as salting. EBay financial records are also kept separately from users’ personal information and login credentials.
Nonetheless, hackers gained access to highly sensitive personal information about eBay users, including their full names, email address, street addresses, telephone numbers, date of birth – and their encrypted passwords. Users should brace themselves for suspicious email messages along with other attempts to lure them into providing financial information or other data that could be used for identity theft. Users who maintain the same login credentials for more than one site may find that their accounts on sites outside of eBay have also been compromised.
Bringing the Breach to Light
The data compromise came to light when an internal security team noticed unusual employee activity on the corporate network. After further investigation – including recruiting the assistance of the San Francisco, the FBI, and an outside forensics team, it was revealed that the compromise resulted from a cyber attack against eBay in February 2014. The cyber attack resulted in the theft of the login credentials of a small group of employees. The hackers used their unauthorized access to steal a database including information on all of eBay’s users.
The breach might never have been publicized except for a provision in North Dakota state law that requires consumers to be informed whenever data compromises occur that involve names paired with birthdates. Most state laws do not have such requirements. But in today’s hyper-connected world, it would be impossible to fulfill the requirement of informing consumers in North Dakota without having the security compromise become news across the country – if not around the world.
Welcome to the New Normal
Security experts warn that there is every reason to believe that security failures will continue to occur. This latest breach should serve as a reminder there is no such thing as being 100 percent safe while online. Still, for most people it is impractical or even impossible to stop using the Internet. The key to remaining as safe as possible is to minimize the exposure to which you subject yourself. Using strong, original passwords for each website is imperative. Free software programs like LastPass and Keeper allow users to practice safe password management without the need to memorize dozens of passwords, so there is no excuse not to protect yourself.