Yesterday, eBay announced the company suffered a data breach. The compromised database contained member names and the associated password, email address, physical address, phone number, and date of birth.
As to how it happened, eBay said a number of employee login credentials were compromised (stolen, in plain speak), allowing those who stole the credentials access to eBay’s corporate network. eBay said the data breach was discovered two weeks ago, and an initial investigation determined the bad guys first penetrated eBay’s infrastructure in late February or early March.
eBay wanted to be clear that the compromised database did not contain financial information or other confidential personal information. The other somewhat good news is that the passwords were encrypted. eBay would not comment as to the strength of the encryption, and rather than take a chance is requiring all member to change their eBay passwords.
Regarding passwords, eBay reminded members if they used their eBay password to login at other websites, the password needs changing everywhere it was used. eBay also issued a cautionary warning to its members: “The same password should never be used across multiple sites or accounts.” Let’s hope the eBay workers whose passwords were compromised heeded their employer’s advice.
Protecting your important data starts with generating a strong, yet usable password. TechRepublic created this PowerPoint presentation to help users derive a strong password that will still be easy to remember.
PayPal not affected
Since eBay owns PayPal, concern regarding the safety of member information stored by the financial services provider was understandable. PayPal member information was not affected. eBay stated: “It has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.”
In an odd twist, the PayPal blog site provided the initial indication something was wrong, alerting many, including CNET, that eBay was going to ask its members to change their password.
Although eBay is downplaying the importance of the stolen information, it shouldn’t be taken lightly. In today’s world where manipulating large amounts of disparate data is becoming relatively easy, adding data taken from eBay to other stolen data may just give the criminals enough information to try password-changing scams, or even worse steal a victim’s identity.
The other problem with the bad guys having email addresses and other personal information, it enhances their ability to send official-looking eBay or PayPal phishing emails to members who are already concerned about their information being in the wrong hands.