eBay faces multiple probes into mega-breach

US attorneys-general and UK ICO probing circumstances around massive security breach


eBay is facing multiple investigations after a security breach that spilled the personal information of 145 million users, along with their passwords, which were encrypted in some as-yet-unknown way.

The online tat bazaar is being hit from both sides of the Atlantic today, with state attorneys-general in the US launching a joint inquiry while the Information Commissioner in the UK told various media outlets that his office is actively looking into starting a formal investigation.

The ICO’s Twitter account reported Christopher Graham telling BBC Radio this morning that the data watchdog was considering a probe of the eBay hack.

“eBay is, on the face of it, a very serious breach,” he said. “The message for business is you’ve got to be better at security and you’ve got to be better with our personal data.”

Graham told Sky News that while he didn’t want to pre-empt a formal inquiry, his team had previously fined Sony £250,000 for its data breach.

The commissioner also warned folks to be wary of phishing emails that might appear to be from eBay and to only change their password directly on the eBay website.

Over in the US, Connecticut Attorney General George Jepsen had the same advice for eBay users in the state and also warned that his office would be looking into the breach, “as well as the steps eBay is taking to prevent any future incidents”.

Florida and Illinois have also started investigations into the hack, while New York’s AG Eric Schneiderman called for the online marketplace to provide free credit-monitoring services to its users.

“The news that eBay has discovered a security breach involving customer data is deeply concerning,” he said.

“New Yorkers and eBay customers across the country trust that retailers will protect their personal information when they shop online. Our office has asked and fully expects eBay to provide free credit monitoring services to customers impacted by this breach.”

eBay’s databases were hacked some time between late February and early March by attackers who used employee login details to get into the corporate system. The firm only became aware of the attack recently and issued a statement earlier this week that personal information like names, addresses and phone numbers had been stolen, along with encrypted login details, but no financial data had been lifted.

The marketplace has faced a lot of criticism for its handling of the breach. Security experts continue to pressure eBay to reveal just how user passwords were encrypted so they can assess how easy it would be for criminals to decode them. Spokeswoman Amanda Miller has said that the website uses “sophisticated, proprietary hashing and salting technology to protect passwords”, but experts want more technical detail on how that works.

Users are also taking to forums to criticise how eBay has, or has not, informed people about the breach. Many eBay customers took to its forum to complain that they found out about the breach from the media, instead of from the company itself.

“Informing paying customers is just the right thing to do, leaving it to the BBC to do is just disrespectful!” one user said.

“If EBay has asked its users to change their passwords, then they missed me,” another complained. “I’ve not seen any notice on the site, and I haven't received a message either. What's more, there's no announcement in the "news" section either. Not only have they been "compromised" but they also seemingly can't be bothered to let their users know either.”

Even today, nearly three days after the initial announcement, users still haven’t received any direct emails explaining the breach or advising them on what to do.

eBay had not returned a request for comment on any of these issues at the time of publication. ®


Other stories you might like

  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Another ex-eBay exec admits cyberstalking web souk critics
    David Harville is seventh to cop to harassment campaign

    David Harville, eBay's former director of global resiliency, pleaded guilty this week to five felony counts of participating in a plan to harass and intimidate journalists who were critical of the online auction business.

    Harville is the last of seven former eBay employees/contractors charged by the US Justice Department to have admitted participating in a 2019 cyberstalking campaign to silence Ina and David Steiner, who publish the web newsletter and website EcommerceBytes.

    Former eBay employees/contractors Philip Cooke, Brian Gilbert, Stephanie Popp, Veronica Zea, and Stephanie Stockwell previously pleaded guilty. Cooke last July was sentenced to 18 months behind bars. Gilbert, Popp, Zea and Stockwell are currently awaiting sentencing.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading

Biting the hand that feeds IT © 1998–2022