Modern field guide to security and privacy

EBay, hit by a cyber attack, urges 145 million users to change passwords

EBay says that credit card and other financial data, including that of its PayPal subsidiary, were not compromised. But cyber experts worry that it took weeks for the breach to be discovered.

Mike Blake/Reuters/File
The results of a Google image search on eBay are shown on a monitor in this photo illustration in Encinitas, Calif., on April 16, 2013. The e-commerce company on Wednesday announced that client identity information, including e-mails, addresses, and birthdays, was stolen in a hacking attack between late February and early March.

Online auction giant eBay Inc. said early Wednesday it was hit by a cyber-attack and, as a precautionary measure, is asking its 145 million active users to change their passwords, because hackers had infiltrated a database containing encrypted passwords and other nonfinancial personal data.

In a statement on its website, the company said the attack that occurred in late February and March compromised “a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network.”

The attackers then used those credentials to access a database that included eBay customer names, encrypted passwords, e-mail addresses, physical addresses, phone numbers, and dates of birth. The company stressed that credit-card and other financial data, including that of its PayPal subsidiary, were not compromised.

The company said it has seen no indication of increased fraudulent account activity on eBay, evidence of unauthorized access, or compromises to personal or financial information for PayPal users.

“After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats,” eBay said in a statement. “However, changing passwords is a best practice and will help enhance security for eBay users.”

But several factors still worry cyber-security experts – including the fact that the breach was detected only two weeks ago, apparently giving the hackers plenty of time to exploit the company network. Passwords, even though encrypted, are still subject to so-called “brute force” password cracking, cyber experts say. Also, a consumer often uses the same password across several sites, increasing the vulnerability. As well, the large amount of exposed personal information could still be a potential gold mine for identity thieves, they say.

The eBay breach follows the April disclosure of the “Heartbleed” vulnerability in Web-based encryption systems that potentially exposed about half of all Internet websites to hack attacks. Just last December, Target Corp. revealed a hack that potentially affected 110 million customers.

“This hack is particularly significant because eBay has a reputation for taking very strong security measures,” says Michael Sutton, vice president of security research for Zscaler, a cloud-based cyber-security firm with headquarters in Sunnyvale, Calif. “What’s been revealed so far suggests a targeted attack directed at specific employees, possibly a phishing attack. It’s got to be of concern that it was only discovered a couple of weeks ago.”

Companies have tended to rely on firewalls and other means to create a cyber-fortress. But this hack shows is that it’s almost impossible to keep intruders out – and that the key is monitoring networks constantly to detect any intrusion quickly before massive damage can be done, Mr. Sutton says.

It also suggests a sea change has occurred – and may still be occurring – in how companies deal with such hacks. Until a few years ago, most companies did everything they could to bury such hacks, rather than make them public. But data disclosure laws – and the admission in early 2010 by Google that it had been hacked by Chinese cyber-spies – have helped companies fess up to cyber-breaches and forced them to improve their cyber-security.

“That’s the silver lining here,” Sutton says. “Partly as a result of Google doing what it did, we’re seeing a lot more companies admitting they’ve been hacked. They know it’s better to get the bad news out and deal with it. But it's still a front page headline, so CEO feet are now being held to the fire on cyber-security – and that’s also forcing companies to improve their security posture."

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.