eBay Data Breach

You may or may not be aware of the problem eBay faced a few months ago, calling it a mini instance of the ‘Heartbleed attack’ I mentioned recently.

After forensic investigation, it was found that eBay (ebay data breach in 2014) was actually hacked back in February and yet eBay only sent out emails to their users alerting them to change their passwords in May, leaving users vulnerable to attack for longer than perhaps necessary. With the actual compromise occurring months before, even a large organisation like eBay took quite a long time to react. For small businesses, with little or no IT support or IT security in place, a breach could go unnoticed.

So what did the hackers do? They gained access to and used an internal eBay corporate account to spy on usernames, email addresses, home addresses, telephone numbers and dates of birth too. The hackers were able to access passwords, but like all cyber-savvy organisations these were in encrypted form rather than ‘plain text’ form, so it is unlikely they were decrypted and used.
However, as a precaution, over 145 million users were prompted to change their passwords. It was unlikely that user’s passwords were compromised, but many people use the same password for multiple accounts, and it was due to this that eBay felt there was sufficient risk to their user base. The responsibility of all organisations is to protect their customer credentials and data. The balance of this breach versus the negative publicity is a massive dilemma for organisations of all sizes.
After the recent Heartbleed incident, over 67% of web users did not update their passwords.

Managing passwords and account details is tricky for small businesses, so the easy option is to share accounts and passwords with staff. However, this is clearly lazy, wrong, and actually exposes the organisation to potential fraud from employees.

Conclusion – go look at your passwords. Change them regularly, maybe on a key date each year. Ideally more frequently. Keep cyber safe.