How did eBay fail to notice a data breach affecting 233 million customers for three months?

Posted by Geraldine Hunt on Thu, May 29th, 2014

This latest eBay data breach is really astounding. The eBay breach is more than a minor annoyance. Many of the emails already popping up in inboxes are phishing attempts which pose a serious network security risk, they include links to sites designed to steal confidential information.

Data breach affecting 233 million customers goes unnoticed.

The problem dates back to February and early March. The log-in credentials of three eBay employees were compromised, allowing hackers to copy a database containing customers’ names, encrypted passwords, addresses, phone numbers, and email addresses. The breach wasn’t made public until May 21. It was discovered in early May, but eBay says that it initially thought that no customer data had been compromised. EBay now says that the stolen data contained no financial information and that PayPal was not affected. But how did eBay fail to notice a data breach affecting 233 million customers for three months?

Although not financial, the data that was leaked was valuable. Basic login information like user name, address, email address, phone number and date of birth was in the breached database. This information is an absolute goldmine for scammers who want to crack accounts or operate password reset scams.

Three states—Florida, Connecticut, and Illinois—have launched investigations. Eric Schneiderman, the attorney general of New York, said that he “fully expects eBay to provide free credit monitoring services to customers impacted by this breach,”but eBay says it has no immediate plans to compensate customers. Regulators in Europe are also taking an interest. Gerard Lommel of the Luxembourg data protection authority said that an investigation will be launched there.

What network security practices were in place?.

EBay is being criticized for its slow reaction, which has extended to customer notifications, though with 145 million active users, or 233 million registered accounts, eBay has a lot of notifications to send. It responded in a tweet to customers who were upset about not getting information directly, saying it would "take time" for users to receive an email. This kind of incident raises questions about the company’s security practices, and hackers are having a field day publicizing other eBay vulnerabilities they say they’ve found.

What does the eBay breach mean for the rest of us? As much as a nuisance as it is, changing eBay passwords is a very good idea. Going directly to the eBay site to change a password is the safest way to do it; as always, clicking on a link in an email should definitely be avoided. If you’ve used the same password on any other accounts, they need to be changed too. According to eBay, PayPal was not compromised, but you’ll want to change your PayPal password if it was the same as your eBay password.

This data breach is going to continue to inspire phishing attempts, so it’s critical to ignore suspicious emails or phone calls relating to eBay. The data stolen might be useful in crafting spear phishing attempts also, so—as always—it’s wise to be cautious about revealing confidential information, even in response to what looks like a legitimate request.