eBay Hacked – Would you believe John Donahoe offered credit protection?

eBay Hacked – Would you believe John Donahoe offered credit protection?
EventHorizon1984
22 May 2014

“You eat danger for breakfast” 
“Would you believe lunch?”  Zach Smart
“Don’t do that.”  Chief Maxwell Smart
Get Smart (1995)

eBay INC made an interesting press release on 21 May 2014eBay INC stated:

“SAN JOSE, Calif.–(BUSINESS WIRE)– eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data. After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.

Information security and customer data protection are of paramount importance to eBay Inc., and eBay regrets any inconvenience or concern that this password reset may cause our customers. We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace.

Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.

The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.

The company said it has seen no indication of increased fraudulent account activity on eBay. The company also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.

Beginning later today, eBay users will be notified via email, site communications and other marketing channels to change their password. In addition to asking users to change their eBaypassword, the company said it also is encouraging any eBay user who utilized the same password on other sites to change those passwords, too. The same password should never be used across multiple sites or accounts.”

A matter of fact, ‘don’t panic‘, ‘nothing to see here’ statement.  Then came the scrutiny.

 

“No more secrets, Marty.”
Cosmo, Sneakers (1992)

The press release did not mention the extent of the “compromised” database.  Although on 21 May 2014 eBay INC clarified:

“For the time being, we cannot comment on the specific number of accounts impacted. However, we believe there may be a large number of accounts involved and we are asking all eBay users to change their passwords,” eBay spokeswoman Kari Ramirez said.

And on 22 May 2014 eBay INC provided more clarification:

EBay hack, 2nd largest in U.S. history, leaves questions unanswered
Chicago Tribune, Reuters, 22 May 2014

EBay Inc’s description of how hackers got access to its entire database of 145 million user records leaves many questions unanswered as to how cyber criminals orchestrated what appears to be the second-biggest data breach in U.S. history.

“They’ve been pretty tightlipped. They’ve barely provided any information. They should be more forthcoming about what happened,” said David Kennedy, chief executive of TrustedSEC LLC, an expert in investigating data breaches.

In particular, Kennedy wants to know why it took eBay three months to detect the intrusion.

“Missed it by that much”
Maxwell Smart (Don Adams), Get Smart

Computer security experts say the biggest breach was uncovered at software maker Adobe Systems Inc in October 2013, when hackers accessed about 152 million user accounts.

“The day ain’t over yet…”
Curly, City Slickers (1991)

In eBay INC’s press release they promised, “Beginning later today, eBay users will be notified via email.”  Has any reader received any email warning of the database breach? Apparently that email has yet to be sent.

Some customers complained on eBay Community forums that they had not received much information about the breach from eBay and have yet to get notifications by email, which the company has promised to do.

And what did the “145 million user”s affected by the database incursion immediately see?

U.S. states probe eBay cyber attack as customers complain
Reuters, 22 May 2014

As of Thursday afternoon, eBay did not have information on the attack visible on its market home page, www.ebay.com.

“That’s really poor incident response,” said David Kennedy, a cyber forensics expert who is CEO of TrustedSEC LLC. “EBay should be held to a higher standard.”

The eBay Hack: They Haven’t Only Hacked Your Security, They’ve Hacked Your Brand
Patrick Hanion, Forbes, 22 May 2014

“The eBay Hack” brings to mind the recent Target INC hack.

Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It
Michael Riley, Ben Elgin, Dune Lawrence, Carol Matlack, Businessweek, 13 March 2014

The biggest retail hack in U.S. history wasn’t particularly inventive, nor did it appear destined for success. In the days prior to Thanksgiving 2013, someone installed malware in Target’s (TGT) security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores.

“On Saturday, Nov. 30, the hackers had set their traps”

Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.

“More than 90 lawsuits have been filed against Target by customers and banks for negligence and compensatory damages. That’s on top of other costs, which analysts estimate could run into the billions.”

The time between hack and notification?

Federal investigators warned Target of a massive data breach on Dec. 12.

Note this is not Target INC notifying it’s customers. It’s the U.S. Government notifying Target INC.

Notification to consumers was much much later.

14 January 2014

Dear Target Guest,

As you may have heard or read, Target learned in mid-December that criminals forced their way into our systems and took guest information, including debit and credit card data. Late last week, as part of our ongoing investigation, we learned that additional information, including name, mailing address, phone number or email address, was also taken. I am writing to make you aware that your name, mailing address, phone number or email address may have been taken during the intrusion.

I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go to creditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014.
In addition, to guard against possible scams, always be cautious about sharing personal information, such as Social Security numbers, passwords, user IDs and financial account information. Here are some tips that will help protect you:
  • Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.
  • Delete texts immediately from numbers or names you don’t recognize.
  • Be wary of emails that ask for money or send you to suspicious websites. Don’t click links within emails you don’t recognize.

Target’s email communication regarding this incident will never ask you to provide personal or sensitive information.Thank you for your patience and loyalty to Target. You can find additional information and FAQs about this incident at our Target.com/databreach website. If you have further questions, you may call us at 866-852-8680.Gregg Steinhafel Chairman, President and CEO

Compare and contrast the actions and timeline of Target INC and CEO Gregg Steinhafel to eBay INC and CEO John Donahoe.

Time from breach to customer notification.

  • Target Inc, customer emails, 1 month +
  • eBay Inc, Press Release, 2-3 months

Message from CEO to customers.

  • Target Inc, 1 month +
  • eBay Inc, none

Credit protection.

  • Target Inc, “Target is offering one year of free credit monitoring”
  • eBay Inc, none

While eBay INC has stated,”no evidence of unauthorized access or compromises to personal or financial information”, one may or may not want to take that with a grain of salt.

Someone posted a batch of emails, scrambled passwords, phone numbers and addresses of more than 12,000 people on the Internet, saying it was a sample of data stolen from eBay and offering to sell the full batch for 1.453 bitcoin, or a little more than $750.

EBay’s Miller said the information was not authentic.

Reuters spoke to six people whose phone numbers were included in that batch. While only four said they had eBay accounts, all of them said the data was correct

If eBay INC can’t identify it’s own users, what assurance is there that eBay INC can identify the condition of it’s own data.

The fate of Target INC CEO Gregg Steinhafe?

Target’s CEO Steps Down Following The Massive Data Breach And Canadian Debacle
Forbes, 8 May 2014

“Target CEO, President and Chairman Gregg Steinhafel resigned from all his positions after extensive discussions with the board.”

I’ve never seen worse corporate governance than eBay
Carl Icahn, 5 March 2014

The fate of eBay INC CEO John Donahoe remains to be seen.

/*

“And because of current synergies, a lot of data is traded between eBay and PayPal.” JP Mangalindan, Fortune

Why would you divide up the data?! Everyone is paying millions to get to the data. Why would you divide up the data?
John Donahoe, 10 March 2014

/*

Technorati Profile
EventHorizon1984 Log

cookie
//

2 Responses to “eBay Hacked – Would you believe John Donahoe offered credit protection?”


  1. 1 Philip Cohen 23 May 2014 at 09:49

    As a matter of interest, copies of eBay’s hacked data are on sale at [REDACTED]

    eBay Inc, where the incompetent mingle with the malevolent and the [REDACTED]

    Ed – The first redact is to protect readers from questionable sites. The second redact is covered under “47 U.S. Code § 230 – Protection for private blocking and screening of offensive material.” Whereas that link and end comment could embroil us in civil liability, ala Corri McFadden-like suits.

    SEE Electronic Frontier Foundation, Legal Guide For Bloggers (https://www.eff.org/issues/bloggers/legal/liability/230).

    Our current comment policy is we rarely publish comments. However this comment was a good segue to the recent Forbes article.

  2. 2 EventHorizon1984 23 May 2014 at 10:23

    The article below, has an explanation of that eBay INC data on sale, as presented by Phillip Cohen.

    Your eBay Password For Sale? How, Where And Why
    James Lyne
    Forbes, 23 May 2014
    http://www.forbes.com/sites/jameslyne/2014/05/23/your-ebay-credentials-for-sale-how-where-and-why/

    “In short, it’s a scam. A very well timed, clever scam that has everyone very excited.”

    However it appears the author did not check with any users on that list.

    Whereas elsewhere real data surfaced.

    U.S. states probe eBay cyber attack as customers complain
    Jim Finkleand, Karen Freifeld
    Reuters, 22 May 2014
    http://www.reuters.com/article/2014/05/22/us-ebay-password-idUSBREA4K0B420140522

    “EBay’s Miller said the information was not authentic.

    Reuters spoke to six people whose phone numbers were included in that batch. While only four said they had eBay accounts, all of them said the data was correct”

    The James Lyne ad could be one of many scammers, creating scams of the actual sample list Reuters investigated.

    The article continued,

    “which suggests they may have been victims of another data breach.”

    The question being, was that data from the February/March eBay INC database hack, or another hack, or compiled data from scammed eBay INC users? For that matter, if that data is from another hack, what assurance do eBay INC users have that this other hack is not something more recent?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




May 2014
S M T W T F S
« Mar   Sep »
 123
45678910
11121314151617
18192021222324
25262728293031

Archives

Categories

Enter your email address to subscribe to this blog and receive notifications of new posts by email.


%d bloggers like this: