The past few months have been tough where security is concerned. First Target was hit by a massive security breach throughout their chain of retail stores. Then the disturbing reports about the extensive Heartbleed security threat came to light. In April, online portal AOL reported that hackers had stolen email addresses, passwords, contact lists and other information from a large number of its 120 million users.

This time around the intrusion occurred through one of the biggest online auction and retail institutions in the world – eBay. Compromises in the customer and user database for eBay took place in February and March, but the breach was only discovered in early May. As a result of the security violation eBay is recommending all of its 145 million active buyers and sellers to change their passwords immediately.

Financial Information Safe – for Now

Amanda Miller, a spokeswoman for the company, told The New York Times on May 21 that there was no indication that any financial information such as credit card numbers or PayPal account information was compromised. There have also been no reports to date of unauthorized activity related to the security breach on eBay. There is also no indication that any information about PayPal account holders was compromised in any way. (PayPal is owned by eBay.)

Alan Marks, senior vice president of global communications for eBay stated to The Times that users’ passwords were encrypted and camouflaged through a technique called hashing. EBay Chief Technology Officer Mark Carges explained to The Times that users’ passwords were further protected before undergoing encryption by the addition of several random digits in a procedure known as salting. EBay financial records are also kept separately from users’ personal information and login credentials.

Nonetheless, hackers gained access to highly sensitive personal information about eBay users, including their full names, email address, street addresses, telephone numbers, date of birth – and their encrypted passwords. Users should brace themselves for suspicious email messages along with other attempts to lure them into providing financial information or other data that could be used for identity theft. Users who maintain the same login credentials for more than one site may find that their accounts on sites outside of eBay have also been compromised.

Bringing the Breach to Light

The data compromise came to light when an internal security team noticed unusual employee activity on the corporate network. After further investigation – including recruiting the assistance of the San Francisco, the FBI, and an outside forensics team, it was revealed that the compromise resulted from a cyber attack against eBay in February 2014. The cyber attack resulted in the theft of the login credentials of a small group of employees. The hackers used their unauthorized access to steal a database including information on all of eBay’s users.

The breach might never have been publicized except for a provision in North Dakota state law that requires consumers to be informed whenever data compromises occur that involve names paired with birthdates. Most state laws do not have such requirements. But in today’s hyper-connected world, it would be impossible to fulfill the requirement of informing consumers in North Dakota without having the security compromise become news across the country – if not around the world.

Welcome to the New Normal

Security experts warn that there is every reason to believe that security failures will continue to occur. This latest breach should serve as a reminder there is no such thing as being 100 percent safe while online. Still, for most people it is impractical or even impossible to stop using the Internet. The key to remaining as safe as possible is to minimize the exposure to which you subject yourself. Using strong, original passwords for each website is imperative. Free software programs like LastPass and Keeper allow users to practice safe password management without the need to memorize dozens of passwords, so there is no excuse not to protect yourself.

Do you use your smartphone to purchase movie tickets with the Fandango app or monitor your finances with the Credit Karma app? You might want to rethink that practice – especially if you routinely connect to either app through public WiFi connections. According to a statement released by the Federal Trade Commission on March 28, 2014 users of Credit Karma’s and Fandango’s were potentially vulnerable to “man in the middle” attacks, which allow attackers to intercept information transmitted to or from the apps. Source : FTC

Both iOS and Android versions of the Credit Karma and Fandango apps were vulnerable to such attacks, according to the FTC report. Security shortcomings in the Fandango apps persisted from March 2009 through February 2013. The report did not disclose how long security lapses were present in the Credit Karma apps.

1. SSL Issues in Mobile Apps

The FTC report claimed that both Credit Karma and Fandango could have greatly minimized this risk by performing basic security tests before releasing their apps and implementing industry-standard security measures in the performance of the apps. Instead, officials at both companies were less than forthcoming with users of their apps about the safety and privacy of sensitive personal information. As a result, users of both apps may have unknowingly placed sensitive personal information at risk, especially if they used the apps in locations such as coffee shops, public libraries and airports.

According to the FTC report, both Credit Karma and Fandango disabled a critical security measure in their apps known as secure sockets layer certificate validation, abbreviated as SSL. With SSL in place, the apps could verify that communications between users’ devices and company servers were secure. Without SSL validation, there is no way to ensure the security of information that is transferred to and from the apps.

The FTC report also claimed that both companies could have minimized security risks associated with their apps by performing adequate security reviews and by subscribing to third-party vulnerability reports. Credit Karma was allegedly warned about security risks associated with its iOS app by a user, but failed to act on the information. Instead, Credit Karma released the Android version of its app – which included the same security vulnerabilities of the iOS version – the following month.

2. Overexposure to Fraud and Identity Theft

Along with failing to implement adequate security measure, Fandango and Credit Karma exposed users of their apps to potential credit card fraud and identity theft. Fandango customers who used its mobile app potentially exposed sensitive information such as credit card numbers, email addresses and passwords. Users of Credit Karma’s apps were even more vulnerable, because its apps use critical personal information such as Social Security numbers, bank account information, dates of birth, credit report information and credit scores, home addresses, email addresses and passwords.

3. FTC Settlements Reached

Both Credit Karma and Fandango have reached settlements with the FTC to establish what it labeled “comprehensive security programs” to minimize security risks in future updates of their mobile apps. Both companies must subject their apps to independent security assessments every other year for the next two decades. No monetary penalties were imposed on either company by the FTC.

Protecting Yourself

If you used either Fandango or Credit Karma mobile apps in recent years, you would be well advised to obtain copies of your credit report from all three major credit reporting agencies: Experian, Equifax and TransUnion. You might also consider placing fraud alert notices on your credit report, which require merchants and lenders to obtain enhanced authorization before issuing credit to someone claiming to be you. Whether or not you used either Fandango or Credit Karma’s apps, installing apps such as Lookout onto your mobile device, along with exercising caution when your mobile device is connected to a public Wi-Fi network can minimize the risk that you will be victimized.