Today, eBay announced a truly massive data breach of sensitive data on 148 million customers, making it perhaps the second largest data breach of all time, exceeded only by the 160 million records announced lost in June 2013 by a variety of companies.
This breach poses severe risks for general identity theft and password theft. Consumers are well advised to change passwords and use credit monitoring services.
According to eBay, this compromised data include:
- customers' name
- encrypted password
- email address
- physical address
- phone number
- date of birth
eBay claims that no credit card information nor social security numbers were lost in the compromise. Further, its subsidiary PayPal was uncompromised. The data was collected in late February and early March, 2014. As of this writing, eBay has not said if this is their entire customer database or not, so it seems prudent to assume all of them. Finally, eBay detected the breach two weeks ago, and is only now announcing the results to the public.
Identity Theft Risks
Although eBay denies social security numbers were involved, the data stolen may allow fraudsters to open fraudulent accounts in the customer's name. Birthdays, physical addresses, email addresses, and phone numbers are sufficient to open many accounts. Previous compromises have revealed many social security numbers which can be readily paired with this eBay breach. This set of data is very frequently enough to originate loans, transfer mail, and potentially apply for credit cards.
Advice: Consumers who have ever shopped at eBay (almost all of us) should monitor their credit regularly using one of the many credit monitoring services.
AOL admitted that their breach was the cause of a massive surge in spam. Consumers should beware of emails seemingly coming from financial institutions asking to reset passwords or to provide additional information 'for security purposes'.
Advice: Basic common sense (outlined here) goes a long way. In general, don't believe that any email is really from the institution it seems to indicate. Check twice, enter data reluctantly.
The risk to passwords is enormous. Illia Kolochenko, chief executive of security firm High-Tech Bridge, speaking to BBC News, thinks it is highly likely that the encrypted passwords have been broken. "Over 80% of encrypted hashes [used on web applications] can be brute-forced within 48 hours," he said.
Excellent studies show that people reuse passwords with frightening regularity. Further, the same password is very often used independently by a variety of users (the top three passwords are 123456, password, and 12345678), so-called password collisions.
If eBay simply encrypted their passwords (as they claim), Rainbow Attacks on the compromised databases are likely to reveal a large fraction of the customer passwords. In the best case, eBay salted their passwords, thus breaking a single password will not automatically break all other passwords in their database. Naively, this implies that each password would have to be attacked with Rainbow tables independently, making the compute time to break the database much larger.
However, password collisions will be very common, and this may give all of those colliding accounts to the hackers.
In general, hacking password databases is a well established process, widely known. To see how easy it is, read ArsTechnica's brilliant expose on how anyone can do it.
Advice: eBay customers should immediately change all passwords they use on all sites. There are excellent password management tools available today, that will look for shared passwords and suggest high quality passwords as replacements.
We've been wondering if 'Target is the new normal' ever since December. Since then, we've seen 50M accounts at Evernote, 2.4M at AOL, 20M at Korea Credit Bureau, 2.4M at Snapchat to name a few. Now eBay has lost control of 148M accounts. If anything, Target was only the first taste of things to come.
Update: To see how massive these data breaches can be, check out one of our latest articles featuring the most catastrophic data breaches in the past 7 years.