As is the case with most high-profile data breaches, despite an initial disclosure of information, more questions are inevitable.
The eBay password database hack is a prime example. Inquiring minds still want to know more about how the stolen passwords are secured and why the online auction house’s response has been so wonky? And until a short time ago, there was still a question as to whether a Pastebin post claiming to be a full dump of the password database for sale was legitimate until eBay confirmed otherwise.
EBay incident response did not enjoy its finest hour yesterday, in particular with regard to its messaging. A post went up on the eBay blog informing its 145 million customers that a breach had occurred between February and March and the recommendation was made that users should change their passwords.
That was it for a long time. No homepage splash with a similar notification; no emails to users; no forced password reset mechanism. In fact, as of 11:30 a.m. PDT, eBay said it was still in the process of notifying users via email.
Worse, eBay’s initial communication about the breach said that along with plaintext customers’ names, email addresses, physical addresses, phone numbers and dates of birth, encrypted passwords were stolen. While that may be of some comfort to Mr. and Mrs. America, that was a big red flag to anyone who has added a little salt to their hash.
Encrypting a password is of limited value unless it’s hashed using an algorithm that isn’t broken or collision prone (hello, MD5), and they’re salted, adding a little randomness that slows down any brute-force cracking.
EBay quickly clarified its original statement in a Reuters article with a claim that passwords were protected with “proprietary hashing and salting technology.”
Experts, however, caution that eBay customers shouldn’t ignore the site’s request to change passwords, especially those that users may be re-using elsewhere.
“Encryption does not really help, as our penetration testing practice shows – over 80% of encrypted hashes [used on web applications] can be bruteforced within 48 hours,” said Ilia Kolochenko, CEO of High-Tech Bridge in an email to Threatpost. “But even a 50-random-characters password cannot guarantee 100 percent security, as hackers can just intercept passwords in plain-text when users are logging-in for example [in case is hackers have access to web application of course]. This is why eBay is doing a good thing by advising users to change the passwords ASAP; people should not rely on encryption.”
As for the Pastebin post claiming to offer the full eBay user database dump of 145,312,663 unique records at a price tag of 1.453 Bitcoin, eBay has confirmed it’s fake.
Security engineers at Rapid7 analyzed a free sample dump of 12,663 users’ credentials from the Asia-Pacific region and were not immediately able to verify whether they’re legitimate eBay credentials. Since eBay’s denial that the credentials are theirs, it’s likely the the work of an opportunistic criminal trying to sell a relatively small set of credentials stolen from elsewhere.
Global security strategist Trey Ford said the engineers’ analysis did fine some matches between email prefixes and eBay handles, but that doesn’t necessarily mean much more than the credentials could have been used in more than one place.
“In fact, we also found matches between these email addresses and a popular Malaysian web forum, which may point to the true source of these credentials,” Ford said.
Ford said that the free sample were hashed using PBKDF2 SHA-256 hashes, meaning it would take time to crack the hashes to be able to re-use them.
“They employ a strong hash function and also intentionally make cracking them more difficult and slow by individually salting and using a high number of hash iterations,” Ford said. “The method used can be regarded as the state-of-the-art way to store passwords on web applications.”
EBay could still, however, shut down existing passwords as a stronger precaution.
“There is a level of friction (or frustration) to impose by doing this, but a very worthwhile tradeoff in elevating the safety of their customers,” Ford said. “If eBay chose to force all users to go through a password reset, the stolen passwords would be useless at eBay.com, but people would still need to change them on any other site for which they were used.”
This article was updated at 4 p.m. ET with clarification from eBay and Rapid7 as to the authenticity of the Pastebin post.