Wednesday, January 14, 2015

Possible eBay user info offered for sale online

SAN FRANCISCO – It may have taken eBay weeks to tell users its user database had been hacked, but it took less than 24 hours for groups claiming to have access to the information to offer it up for sale.

Several "full ebay user database dump" offers have been made on the anonymous site pastebin.com but it seems unlikely they're real, experts say.

"It's not uncommon for criminals to spot an opportunity to cash in on an attack by offering false credentials for sale," said Trey Ford, global security strategist at Rapid7, a security company in Boston.

"The published lists we have checked so far are not authentic eBay accounts. We still encourage users to go to eBay and change passwords," eBay said in a statement.

EBay reported Wednesday that a breach into its database of 145 million user records was discovered earlier this month and may have begun as early as late February.

Online marketplace eBay is urging users to change their passwords following a huge "cyberattack" on a database with encrypted passwords and non-financial data. VPC

Three months to find a cyber break in isn't surprising to Stephen Boyer, of BitSight Technologies, a security analysis firm in Cambridge, Mass.

"Intrusion detection is very difficult, depending on the skill of the attackers and the defensive abilities of the company," he said.

"Two months isn't good but still better than two years to detect Heartbleed which was in plain sight," said Bob West, of CipherCloud, a data security company in San Jose, Calif.

It's not uncommon to have an intrusion take 200 days to come to light, Boyer said. "The longer they're in the harder they are to find, because they don't trigger 'anomaly detection' anymore," he said.

Hackers getting in is one thing. Getting the data of 145 million users out is something else.

"The mass exfiltration of hundreds of millions of users personal data should have immediately been flagged. That shows a very fundamental lack of some simple security protections against some of Ebay's most sensitive data that they have," said David Kennedy, chief executive of TrustedSec, an information security company in Strongsville, Ohio.

EBay said it waited several weeks to tell its users because the company "has a responsibility to fully understand the facts which required a full investigation."

While 47 states and the District of Columbia have laws requiring that individuals be notified of security breaches involving their information, they vary wildly.

Deciding when to disclose is a balancing act, said Lysa Myers, a security researcher with Eset, a security company with offices in San Diego.

"Obviously, the more sensitive and valuable the data, the more important it is to disclose quickly. On the other hand, it doesn't look good to release incomplete information, only to have to update it with contradictory information as more data come to light," she said.

While there was no legal requirement to immediately notify customers, security experts weren't impressed with how eBay did it.

"When it was publicly announced, they didn't even have anything on the main webpage to notify the users," said Kennedy.

"It's easy to point the blame and fault mistakes, but in this case, you have to be open with communication and be very proactive in fixing the issue," he said. "This doesn't appear to have been done at all."

No comments:

Post a Comment