eBay announced earlier today that they were the victims of an attack that compromised the email address, encrypted password, physical address, phone number and date of birth of eBay customers. It's important to note that the company indicated that they have not detected any fraudulent network activity and that credit card information was not taken.
Breached Credentials #1 Attack Vector and #1 Most Commonly Sold Information on Black Market
The attack was based on compromising the credentials of a few key employees. It took eBay several months to discover this since the attack took place in February and March.
It's unsurprising to see that the attack took place through compromised credentials since we've seen the 2014 Verizon Data Breach Report and other sources highlight that stolen credentials are now the most common way of breaking into a network. They are also the third most commonly sold piece of pirated information behind credit card and bank information.
Disclosed Personal Information May Cause Rise in Identity Theft and Online Fraud
From both an individual and corporate point of view, users should be aware that the information which was compromised from eBay gives the foundation for a complete identity theft. Information like birth date is frequently used as part of an identification sequence from organizations like banks or part of a password reset sequence.
Users should monitor for indications of eBay fraud such as false transactions, third-party site fraud such as unexpected account activity, and identity theft such as unexpected credit card applications. We recommend that you immediately change your eBay password and the password on any other sites where you reused those credentials.
It's a good idea to use a password manager that makes it easy to avoid reusing passwords and ensure you have passwords of sufficient complexity. As always, continue to be vigilant for signs of phishing, identity theft and spam. Because the attackers have phone numbers, you should also be aware of people calling you trying to social engineer information from you.
Companies Should Prepare for Shared Credentials Abuse and Social Engineering Attacks
While we don't know if the attackers will manage to decrypt the passwords, security teams at companies need to be aware that employees are statistically likely to reuse the same passwords on the corporate network that they use for online services such as eBay.
Be alert for an increase in phishing and other social engineering attacks since physical address, phone number and birthday make it easy to create a very convincing phishing mail. Brazen attackers could also try to social engineer a password reset by phoning the helpdesk or compromise other information through the HR department.
Rapid7 recently did a webcast entitled “Breaking the Kill Chain: How to Protect against user-based attacks.” This webcast helps you detect some of the indications of a user-based attack and compromised credentials. You might also consider signing up for the free community edition of UserInsight that helps you detect and investigate these types of attacks.
Communication with Users Is Key to Your Security Response
In the coming months, security teams will need to be extra vigilant for indications of attacks based around compromised credentials. We've attached a short note to the bottom of this blog that you could send to employees giving them some best practices to follow to help secure their personal data and the corporate network. However, we have to be aware that not all employees will follow this advice. It's important to monitor user activity to identify anomalies that could mark an intruder trying to get into the network or somebody moving laterally within the network.
Here's a Short Email You Can Send Out to Your Users
To All Employees,
I would like to alert you to a third-party data breach to help you keep your personal, family and company data and finances safe.
Earlier today, eBay announced that they have suffered a breach that involved compromising email address, encrypted password, physical address, phone number and date of birth of eBay members. The company reports that no credit card or PayPal information was compromised but we wanted to make you aware of the attack and recommend a few specific actions.
- If you are an eBay customer, please make sure that you change your account password and monitor for any fraudulent account activity.
- If you have reused the same password on any other sites, including your corporate passwords, please change them immediately. Hackers often use email addresses and passwords on many different sites, usually in an automated way.
- We recommend having a unique password for each site because not all password-related data breaches are made public, so you never know which passwords have been compromised.
- Please be alert for phishing attacks or fraudulent phone calls. With information such as physical address and date of birth, attackers can craft very realistic looking phishing mails. If you spot any unusual account activity associated with your corporate account, please notify the help desk and IT staff.
Please let me know if you have any questions.