Online marketplace eBay is forcing users to change their passwords after a cyber-attack compromised its systems. The firm said a database had been hacked between late February and early March of 2014, and had contained encrypted passwords and other non-financial data. The company added that it had no evidence of there being unauthorized activity on its members' accounts. However, it said that changing the passwords was the "best practice and will help enhance security for eBay users".Rico says that this is not the first one of these; WTF is up with the IT community that it can't keep hackers out?
The California-based company has 128 million active users and accounted for over two hundred billion dollars worth of commerce on its various marketplaces and other services in 2013.
It said it would be contacting users to alert them of the issue via email, its website, advertisements, and social media. A spokesman added that the firm's engineers were in the process of rolling out a feature that would oblige members to choose new passwords when they next logged in, which should be live in each of the countries eBay operated in by the end of the day.
A post on eBay's corporate site said that cyber-attackers accessed the information after obtaining "a small number of employee log-in credentials", allowing them to access its systems, something it only became aware of two weeks ago.
"The database... included eBay customers' name, encrypted password, email address, physical address, phone number and date of birth," it said. "However, the database did not contain financial information or other confidential personal information. Extensive forensics subsequently identified the compromised eBay database, resulting in the company's announcement today."
Although the firm also owns the PayPal money transfer service, it said that the division's data was stored separately, encrypted, and that there was no evidence that it had been accessed. It added that any members who used the same login details used on eBay for other sites should also update them. eBay has not provided any information about the kind of encryption it used.
One expert said there was still a concern that the hackers might be able to make use of their haul. "We all know that, given enough time, hackers can crack some encrypted password files," said Alan Woodward, an independent security consultant. "The slightly worrying aspect of this is that the hackers have a nice neat list of personal information, which can be used to steal identities, or even help them get around other systems though password reset scams." He offers this advice:Don't choose one obviously associated with you: Hackers can find out a lot about you from social media so, if they are targeting you specifically and you choose, say, your pet's name, you're in trouble.
Choose words that don't appear in a dictionary: hackers can precalculate the encrypted forms of whole dictionaries and easily reverse-engineer your password.
Use a mixture of unusual characters: you can use a word or phrase that you can easily remember but where characters are substituted, like Myd0gha2B1g3ars!
Have different passwords for different sites and systems: if hackers compromise one system, you do not want them having the key to unlock all your other accounts.
Keep them safely: with multiple passwords, it is tempting to write them down and carry them around with you. Better to use some form of secure password vault on your phone.
22 May 2014
Oops is now an eBay term
The BBC has an article by Leo Kelion about yet another hacking screwup:
No comments:
Post a Comment
No more Anonymous comments, sorry.