Target, Neiman Marcus, Michael’s — these days, it seems that cyber attacks on major retail chains are par for the course. Target receives the dubious distinction of being the victim of the biggest retail hack in U.S. history, but that victory for hackers seems to have encouraged others to keep it going. Now, another major corporation has joined the ranks of the hacked, and this one may be the biggest of all: Ebay.
Before you read any further, you might want to head over to Ebay and reset your password. I just did, though, given that I made an Ebay purchase this morning in the name of blog-writing procrastination, I can’t say I’m feeling terribly comfortable about it. In a blog post, Ebay is encouraging its 233 million users to do the same, citing a “cyberattack that compromised a database containing encrypted passwords and other non-financial data.” Hmm…well, aren’t those encrypted passwords linked directly to financial data, such as credit cards stored on user accounts? According to Ebay, no. The company says it has “no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats.” Apparently, the database hacked did contain customer information, like phone numbers, birth dates, email addresses, passwords, etc., but the other database containing all the financial information wasn’t compromised. Boy, I hope that’s true.
According to Ebay, hackers did access the log-in information of a “small number” of employees, which then linked them to the company’s corporate network. Ebay is “aggressively” investigating the situation, and thus far believes that the database was jacked sometime between late February and early March, so my morning purchase probably isn’t as potentially problematic as ones I made months ago and have since forgotten — another not entirely comforting thought. The compromised log-ins were first discovered about two weeks ago.
The time lag here is interesting. If the cyber attacks occurred a few months ago, why did it take until couple of weeks ago to detect them? And why the delay in informing users? This is one of the most troubling aspects of such cyber attacks — even if a company discovers a compromise, it doesn’t help customers whose information may have been left exposed for months. As a consumer, there’s really no way to know if one’s information is safe, especially if one didn’t know to look for anything suspect. The recently discovered Heartbleed bug is a perfect example, as it compromised SSL connections and OpenSSL software for years, opening up tons of sites and information to hackers. Trying to fix it so long after the fact seems like a trying to put a Band-Aid on a gunshot wound.
This isn’t the first time Ebay’s security has been compromised. About 1,200 users’ accounts were hacked back in 2007. This time around, Ebay maintains there has been no “increased” fraudulent activity on the site. It also appears that Paypal is safe, which is probably even more important. Data and financial information for PayPal users lives on a different network than Ebay’s, and all of it is encrypted, which may or may not make you feel any better. Still, don’t be surprised if you get a message from Ebay sometime today or tomorrow asking you to change your password.