Wednesday, May 21, 2014

145 million person EBAY Breach?

  1. New York Times ‎- by Nicole Perlroth ‎- 5 hours ago
    EBay learned this month of a security breach that had occurred in late February, according to a company spokeswoman, who added that ...
  1. Washington Post (blog)‎ - by Andrea Peterson‎ - 12 hours ago

    EBay Urges New Passwords After Breach


    Photo

    EBay learned this month of a security breach that had occurred in late February, according to a company spokeswoman, who added that PayPal accounts were not affected. Credit Justin Sullivan/Getty Images

    Continue reading the main story Share This Page
    Continue reading the main story
    SAN FRANCISCO — In the latest prominent breach of a company’s computer network, hackers have infiltrated the online marketplace eBay, gaining access to the personal data of 145 million customers, the company said on Wednesday.
    The hackers broke into an eBay database containing names, email addresses, birth dates, encrypted passwords, physical addresses and phone numbers.
    There was no indication that the attackers obtained financial information such as credit and debit card numbers or gained access to customer accounts at PayPal, which is owned by eBay, said Amanda Miller, a company spokeswoman. The company has not seen evidence of fraudulent activity that could be linked to the breach, she said.
    Still, hackers could use the stolen data for identity theft. Personal information — such as email addresses, passwords and birth dates — is regularly sold to criminals who use it for phishing or identity theft.


    Security experts warned that the stolen information would make eBay customers easy targets for phishing attacks, in which criminals send emails that bait victims into clicking on malicious links or direct them to fake log-in screens where they are asked to enter more valuable information like a password or a Social Security number.
    “Expect an uptick in phishing. Do not click links in email or discuss anything over the phone,” warned Trey Ford, a strategist at Rapid7, a security firm in Boston.
    EBay discovered the breach this month when the company’s internal security team noticed that some of its employees were engaged in unusual activity on its corporate network, said Mark Carges, the company’s chief technology officer.
    EBay contacted the Federal Bureau of Investigation’s San Francisco office as well as an outside computer forensics firm. Working together, they found that hackers had been inside eBay’s corporate network since late February.
    By studying computer logs, eBay discovered that hackers had stolen the credentials of several of its employees and gained unauthorized access to eBay’s corporate network. Once inside, they were able to copy a database containing information on all 145 million of the company’s customers, according to Alan Marks, eBay’s senior vice president of global communications.
    Mr. Marks said eBay stored its financial data separately. Still, the company advised users with the same password for eBay and PayPal to change their passwords immediately.
    Though notification laws differ, most states require that companies notify customers of a breach only if their names are compromised in combination with other information like a credit card or a Social Security number. But there are exceptions for encrypted information.
    In eBay’s case, the company stored users’ names, email and physical addresses and birth dates in plain text but encrypted their passwords. Most states would not have required eBay to disclose the breach. But one state, North Dakota, requires companies to disclose a breach in cases where a customer’s name is compromised in conjunction with a birth date.
    Mr. Carges said eBay camouflaged customers’ passwords with encryption, using a process known as hashing, in which passwords are mashed up with a mathematical algorithm and stored only in encoded or “hashed” form.
    To make cracking more difficult, Mr. Carges said, eBay also appended several random digits to customer passwords — a process known as salting — before encrypting the passwords. Salting makes cracking them more difficult, although not impossible.
    Mr. Marks said that on Wednesday the company would begin prompting users to change their passwords and alerting customers to the breach.
    Peter D. Lee, a spokesman for the F.B.I.’s San Francisco field office, said the F.B.I. was working closely with eBay to investigate the breach and that he believed that arrests would be made soon.
    The breach at eBay is one of several recent hacking episodes at prominent companies. One that struck Target in December has cost the retailer $87 million in breach-related expenses, according to securities filings.
    Correction: May 21, 2014
    Because of erroneous information provided by a spokeswoman for the company, a previous version of this article misstated when eBay learned of an attack on its computers. EBay became aware of the breach in early May, and it was discovered that it had first occurred in late February; eBay did not discover the breach in February.

     


No comments: