As is the case with most high-profile data breaches, despite an initial disclosure of information, more questions are inevitable.

The eBay password database hack is a prime example. Inquiring minds still want to know more about how the stolen passwords are secured and why the online auction house’s response has been so wonky? And until a short time ago, there was still a question as to whether a Pastebin post claiming to be a full dump of the password database for sale was legitimate until eBay confirmed otherwise.

EBay incident response did not enjoy its finest hour yesterday, in particular with regard to its messaging. A post went up on the eBay blog informing its 145 million customers that a breach had occurred between February and March and the recommendation was made that users should change their passwords.

That was it for a long time. No homepage splash with a similar notification; no emails to users; no forced password reset mechanism. In fact, as of 11:30 a.m. PDT, eBay said it was still in the process of notifying users via email.

Worse, eBay’s initial communication about the breach said that along with plaintext customers’ names, email addresses, physical addresses, phone numbers and dates of birth, encrypted passwords were stolen. While that may be of some comfort to Mr. and Mrs. America, that was a big red flag to anyone who has added a little salt to their hash.

Encrypting a password is of limited value unless it’s hashed using an algorithm that isn’t broken or collision prone

Encrypting a password is of limited value unless it’s hashed using an algorithm that isn’t broken or collision prone (hello, MD5), and they’re salted, adding a little randomness that slows down any brute-force cracking.

EBay quickly clarified its original statement in a Reuters article with a claim that passwords were protected with “proprietary hashing and salting technology.”

Experts, however, caution that eBay customers shouldn’t ignore the site’s request to change passwords, especially those that users may be re-using elsewhere.

“Encryption does not really help, as our penetration testing practice shows – over 80% of encrypted hashes [used on web applications] can be bruteforced within 48 hours,” said Ilia Kolochenko, CEO of High-Tech Bridge in an email to Threatpost. “But even a 50-random-characters password cannot guarantee 100 percent security, as hackers can just intercept passwords in plain-text when users are logging-in for example [in case is hackers have access to web application of course]. This is why eBay is doing a good thing by advising users to change the passwords ASAP; people should not rely on encryption.”

As for the Pastebin post claiming to offer the full eBay user database dump of 145,312,663 unique records at a price tag of 1.453 Bitcoin, eBay has confirmed it’s fake.

Security engineers at Rapid7 analyzed a free sample dump of 12,663 users’ credentials from the Asia-Pacific region and were not immediately able to verify whether they’re legitimate eBay credentials. Since eBay’s denial that the credentials are theirs, it’s likely the the work of an opportunistic criminal trying to sell a relatively small set of credentials stolen from elsewhere.

Global security strategist Trey Ford said the engineers’ analysis did fine some matches between email prefixes and eBay handles, but that doesn’t necessarily mean much more than the credentials could have been used in more than one place.

“In fact, we also found matches between these email addresses and a popular Malaysian web forum, which may point to the true source of these credentials,” Ford said.

Ford said that the free sample were hashed using PBKDF2 SHA-256 hashes, meaning it would take time to crack the hashes to be able to re-use them.

“They employ a strong hash function and also intentionally make cracking them more difficult and slow by individually salting and using a high number of hash iterations,” Ford said. “The method used can be regarded as the state-of-the-art way to store passwords on web applications.”

EBay could still, however, shut down existing passwords as a stronger precaution.

“There is a level of friction (or frustration) to impose by doing this, but a very worthwhile tradeoff in elevating the safety of their customers,” Ford said. “If eBay chose to force all users to go through a password reset, the stolen passwords would be useless at eBay.com, but people would still need to change them on any other site for which they were used.”

This article was updated at 4 p.m. ET with clarification from eBay and Rapid7 as to the authenticity of the Pastebin post.

Categories: Cryptography, Data Breaches

Comments (5)

  1. John Little
    1

    Last night I changed my email password, and noted that eBay have blocked the option of pasting in a new password into their password field. Normally I generate a password using a password generator and I tend to go for 22-25 characters, digits, etc. I can’t see the point of eBay (in their infinite wisdom) of blocking pasting text into a password field.

    Reply
  2. RLS
    2

    True! Password management demands the ability to securely paste any one of thousands of passwords, all different and none reused! Removing that ability leads to much greater vulnerabilities and insecurity. Maybe I can just use one 6 character, easy to remember password for all sites? Ebay? Not thinking! Worst yet, as of yesterday,Ebay no longer recognizes my password and will not allow re-registering because my email address is currently in their system. Trying to get help from Ebay is NOT possible. They hate people! So, scru Ebay.

    Reply
  3. Anonymous
    3

    If you generate passwords with KeyPass you can use its auto-type feature to bypass the blocking of the paste function.

    Reply
  4. F*ckeBay
    4

    I’m done with eBay.

    I’ve been a member since 1997, but I’ve watched them make one mistake/misstep after another now for several years.

    It’s clear that their engineers have no real idea of what they are doing, that their top-tier executives are entirely inept, and that different groups within their infrastructure communicate no better amongst each other than eBay does with its customers.

    Goodbye, fools…

    Reply
  5. steviejo615
    5

    Ebay should be forced to make all needed changes…not ebay customers! I am most displeased with ebay “asking” account holders to change their password. If we are truly being asked, we have a right to not change our password. Passwords did not cause ebay’s security breech. When forcing changes do not use the term ask as it is truly dishonest.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>