eBay refused to admit to massive cyber attack because it thought customer data was safe
comments
Ebay did not tell customers about the cyber attack that compromised the details of 145 million users immediately because it thought the customer data was safe, the site's boss has revealed.
The auction site initially believed that customer data was safe as forensic investigators reviewed a network security breach discovered in early May, global marketplaces chief Devin Wenig has revealed.
He declined to say when the company first realized customer data was involved or how many days it took them to prepare Wednesday's public announcement about the massive breach in which hackers accessed data belonging to all 145 million eBay users.
Scroll down for video
Ebay initially believed that customer data was safe as forensic investigators reviewed a network security breach discovered in early May, its boss has revealed.
WHAT DO WE KNOW ABOUT THE CYBER ATTACK?
The eBay database was hacked between late February and early March.
It gave hackers access to encrypted passwords and other non-financial data.
This included eBay customers' name, encrypted password, email address, home address, phone number and date of birth.
However, the database did not contain financial information or other confidential personal data.
Cyber attackers accessed the information after obtaining 'a small number of employee login credentials'.
The online market place added that it had no evidence of there being unauthorised activity on its members' accounts.
But security experts are warning hackers could still use personal details to commit identity fraud.
eBay became aware of the hack a fortnight ago but is still unsure exactly how it happened.
It is unclear why it has taken eBay so long to make users aware of breach.'When we found out that there was, we moved swiftly to disclose,' he added.
'For a very long period of time we did not believe that there was any eBay customer data compromised,' Wenig tole Reuters in the first comments by senior executives since the company disclosed the breach this week.
'When we found out that there was, we moved swiftly to disclose,' he added.
The auction site has been blasted for an 'inexcusable delay' in taking action after it was revealed that its servers were hacked three months ago - compromising the personal details of 15 million British users.
The email, home addresses, passwords, phone numbers and birth dates of every eBay account holder - 145 million worldwide - are now in the hands of the hackers.
The company has told users to urgently change their passwords amid the biggest criminal raid ever carried out online.
It has been revealed that hackers accessed eBay databases by using the accounts of company employees as long ago as February.
MPs have rounded on the American company for the 'inexcusable delay' in informing its customers.
Keith Vaz, the chairman of the Commons home affairs select committee, told the Telegraph: 'We have urged companies to take much more seriously the threat of hacking. It is inexcusable that a company as important as eBay has failed to inform its customers immediately that this has occurred. We need a full explanation.
'We will be writing to them to ask how this happened and whether this problem has been resolved.'
In a statement on their website, the US auction site said it was asking all its users to reset their passwords after an attack 'compromised a database containing encrypted passwords and other non-financial data'.
Often consumers use their eBay password for a host of other websites, including their banks, so they may also need to make changes to these to protect their accounts from being hijacked.
Paul Martini, the chief executive at iboss Network Security, said that the online auction site was the 'golden goose of hacking targets' due to the sheer amount of information which is held.
He said that the damage could have already been done and warned that while hackers may not be taking money or goods out of eBay - they may be using personal information to target other sites.
An eBay spokesman said: 'We discovered unauthorised access to our corporate network earlier in May and immediately began a forensic investigation which discovered this issue leading to yesterday's announcement.
The auction site added that it had no evidence of there being unauthorised activity on its members' accounts. But security experts are warning hackers could still use personal details to commit identity fraud
'eBay is a global marketplace and this thorough investigation worked as quickly as possible.'
The company owns and runs the internet payment system PayPal, but claimed that this was not involved in the raid, saying: 'PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.'
The firm has 145million active users and accounted for £126billion worth of commerce in 2013.
A spokesman added: 'Working with law enforcement and security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.
'Information security and customer data protection are of paramount importance to eBay Inc, and eBay regrets any inconvenience or concern that this password reset may cause our customers.'
The cyber attack was made between late February and early March, giving hackers access to eBay customers' name, encrypted password, email address, physical address, phone number and date of birth. The firm said it will be emailing users later today to inform them of the breach
'Our customers are our highest priority; and to ensure they continue to have a safe, secure and trusted experience on eBay, we will be asking all users to change their passwords.
'There is no evidence that any financial information was accessed or compromised; but we are taking every precaution.'
But Graham Cluley, independent security expert, said: 'Obviously they've got hold of names, addresses and dates of birth. All of this can be used to commit identity fraud.
'If they have your password, and you have the same password for other websites, hackers could access your email, your Amazon account and who knows what else.'
And internet security expert Paul Martini said: 'eBay users must act and follow the advice to change their passwords. But the damage could have already been done, as the time lag is months between the cyber breach and the discovery of the breach.
'It could well have been viewed as the golden goose of hacking targets. Its popularity means that it holds personal details, making its a potential gold mine.'
He added: 'Cyberhackers may not hit the obvious target of siphoning money or goods out of eBay; they may take the personal information gained from the database and target other popular sites.'
The internet is still recovering from the Heartbleed bug, a flaw in the OpenSSL encryption on computers that protects user information when someone is online.
The flaw had been present for two years undetected, and offered hackers a way into personal accounts across the web. UK parenting website Mumsnet was the first to admit they had been a victim of the bug. Fixes, or 'patches', have since been applied across the web as sites recover from the breach in security.
HOW DOES THE EBAY HACK AFFECT YOU? WHAT YOU NEED TO KNOW
What personal details were stolen?
Hackers gained access to eBay customers' names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth.
It is unclear whether all, or any, of the details were taken but security experts are warning people to assume the worst.
Are my credit cards details safe?
The firm said that the infiltrated part of the network did not contain any financial details, so in theory, yes.
Will changing my password solve the problem?
Changing passwords will stop hackers from being able to use any login details that were stolen.
However, they could still use names, addresses and birth dates to commit identity fraud.
It's a good idea to change passwords following any attack such as this. It's also important to update login details on any sites that use the same password.
If a hacker has your password and email address they could use it to attempt to access other sites that use the same combination.
As a rule, the same password should never be used across different sites.
Should I change my PayPal password as well?
PayPal, which owns eBay, has confirmed its accounts and customers have not been affected by this cyber attack.
However, as a matter of course, it's good practice to change all related passwords across different sites, including PayPal.
Which countries are affected?
At the moment, we can assume that all eBay customers worldwide will be affected by this breach, until eBay says otherwise.
Is this hack a result of the Heartbleed bug?
When Heartbleed was exposed, eBay announced its customer's account were secure and had not been affected. This suggests the latest hack is a separate attack.
How did hackers steal the information?
It is unclear how the hackers got hold of the information but eBay said it is working with forensic teams to get an answer to this question.
Why did it take so long for eBay to inform customers of the breach?
MailOnline has contacted eBay for an answer to this question. It is unclear what caused the delay.
Typically, following cyber attacks, a firm will investigate the breach to try and determine how many people are affected, and the severity of the attack, before issuing advice.
Put the internet to work for you.
0 comments:
Post a Comment