You can’t fail to have missed the news today that eBay has suffered a serious security breach, meaning that personal information about users has fallen into the hands of hackers.
According to eBay’s official announcement the database accessed by the hackers included customers’ names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth.
Take a large sigh of relief that the database didn’t also include any PayPal financial information which could have been directly exploited by the hackers to plunder online accounts.
But that doesn’t mean there is nothing to worry about.
Firstly, it’s essential to change your eBay password. Even though eBay says that it was stored in an encrypted form, we have seen time and time again hackers crack encrypted passwords. Once they have your password they could explore whether you have used the same password anywhere else on the net - your webmail account, for instance - and begin to unravel your online life.
So, choose a unique password, that’s hard to crack, and hard to guess.
Secondly, think of all the other ways that hackers and fraudsters could exploit the other information they have accessed. They could easily, for instance, spam out phishing campaigns designed to trick you into clicking on dangerous links or use your contact information for other forms of fraud.
But there’s another issue to consider here.
And that’s to think about how this happened to eBay, and whether it could happen to your company too.
eBay says that the hackers gained access to its systems by compromising staff accounts:
Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.
In other words, their staff made a mistake.
Humans being human are always prone to making mistakes and bad decisions. You can patch all the software vulnerabilities in the world, but people will still make errors - and they’re much harder to roll out a software patch for!
We don’t know if those eBay staff members’ passwords were compromised by keylogging malware, or old-fashioned phishing attack, but shouldn’t anyone with access to such sensitive databases have also been using some form of two-factor authentication?
After all, my online bank requires me to use 2FA if I want to transfer money to a different account. They don’t allow me to do that just on the basis of my username and password.
I would have hoped that eBay was doing something similar to control access to its databases. It certainly would have made things much trickier for the hackers if they had, but right now we don’t know if someone in eBay’s security team dropped the ball by not insisting upon it.
So the moral of today’s story is to both review your password practices, change your eBay password, and don’t forget the human factor when considering how to better defend your organisation.
This article originally appeared on the Lumension blog.