eBay database breach: The how and why of a data heist

Zafar Anjum

eBay's recent announcement that one of its databases - which contains customer names, encrypted passwords, email addresses, contact details and dates of birth - was hacked earlier this year has hit the international headlines. eBay is a well-known company and has millions of users all over the world.

How did this happen?

According to a post on eBay's corporate site, cyber attackers had obtained access to "a small number of employee log-in credentials, allowing unauthorised access to eBay's corporate network."

"The very fact that just a 'small number' of compromised accounts has resulted in such significant access to eBay's corporate network is extremely concerning.  Clearly, there has not been enough attention paid to protecting privileged access accounts, where one small human error or mistake can cause an enterprise-wide security breach," said Dan Dinnar, Vice President for Asia Pacific, CyberArk.

 "These powerful accounts hold the proverbial 'keys to the kingdom'.  As evident here, they have access to vast stores of information, data and control within the organisations' digital depositories and, as a result, are the primary target for any hacker who is on the ball.  Worryingly, once access has been secured, the extent of access means that maximum havoc can be wreaked.

 "Protecting privileged accounts should be top priority for any business, not least because perimeter security is clearly failing.  The way in for these malicious attacks is through the inside and, as such, protection needs to start here - at the heart of the organisation.  Monitoring and controlling these powerful accounts every time they're used is paramount to mitigating the impact of an inside breach.  Businesses must start better protecting their assets and critical to this is securing the privileged accounts which form the primary vehicle for so many successful attacks."

Easily decryptible the passwords?

"We don't know the type of encryption (there are several possible options), but the notable aspect here is that the passwords were encrypted (as repeatedly stated throughout the eBay post) instead of being hashed," said Dinnar. "This is contrary to the known best-practice of hashing the passwords with valid hashing algorithms and proper salts. The difference between encrypting and hashing is that encrypted information can be decrypted, while hashing is a one-way function which is designed to only enable one-way computation without it being possible to revert/decrypt the original information. Hashing is the known best-practice to secure passwords as the website solely needs to make sure that the password the user entered is correct, and doesn't need to know the password itself. There shouldn't be a need to decrypt the original password. While it is possible to use brute-force to break hashes, this is still difficult if the hashes are properly salted (a procedure that adds a random sequence of characters to the user password to make it more complex and much more difficult to brute-force)."

1  2  Next Page