eBay’s Database Breach and What You Need To Do
By Perry Michael Simon on May 21, 2014
Maybe we haven’t quite gotten to the point at which there isn’t a company left that HASN’T experienced a security breach, but it seems that we’re headed in that direction. And so it is that the latest breach has occurred at eBay, where 145 million users are being notified that the database with names, email and physical addresses, phone numbers, encrypted passwords, and dates of birth has been compromised in a cyberattack; the company says they don’t see evidence of any attempts to use the information and say that financial data — credit card and bank information — is separately stored and encrypted and was not affected. More importantly, PayPal, which, of course, they own, was also separate and, they insist, secured and not compromised.
Well, then. If you have an eBay account, you should obviously change your password. And I do mean “IF you have an eBay account” — if you haven’t logged in for a while, they DO delete your account. But the larger issue is how companies protect, or don’t protect, your personal information. Whether it’s a brute force attack or corporate espionage or skimmers at the point of sale terminals, it seems way too common, and easy, for your information to end up in the wrong hands. And corporate attitudes towards these breaches seems to range between dismissive and downright cavalier, and that’s worrisome: when eBay says that it’s all good because the financial information was kept separately, that doesn’t address how whoever got in did the deed by simply targeting some employee log-ins, finding one that worked, and downloading away. Or whether passwords should be just encrypted or whether hashing should be the rule. Really, there are a lot of ways to get into a system, and, ultimately, if someone wants to get in badly enough, they will. And by the time a breach is discovered, it may be too late: eBay was compromised as early as late February and it was uncovered only a couple of weeks ago.
Whether it’s this or Heartbleed or the Target thing, it’s all a reminder that you should be using stronger passwords blah blah yeah whatever YOU’VE BEEN TOLD THIS OVER AND OVER AND DO YOU LISTEN? HAH? Are you using a password manager like 1Password or LastPass or Apple’s iCloud Keychain (each of which has its pros and cons)? Have you come up with your own system to create passwords that aren’t easily guessed but that you can remember? Are you changing your passwords regularly? If no to all of these, is that because you’re lazy or because you don’t think the threat’s all that serious? (And does it depend on the site? I mean, some accounts are more worrisome than others. Unless, that is, you use the same password on all your accounts, which you shouldn’t.) Anyway, here’s Lifehacker’s primer on using LastPass to fix up your password situation, and their cautionary article regarding passwords and how even character substitutions — like “ch@ract3r su6st1tuti0ns” – aren’t enough (with some discussion of using 1Password).
tl;dr summary: Change your password on eBay. Make your passwords tougher. Be aware that none of it may totally protect you.
HT: USA Today