EBay Inc. has been compromised.
The online marketplace announced today that a database storing 145 million encrypted passwords and other “non-financial data” was the target of a cyberattack between late February and early March. EBay has no evidence that criminals were able to decrypt the passwords or use them illegally.
EBay has hired FireEye Inc.’s Mandiant forensics division to investigate the breach, which will go down as one of the largest in history. To compare, the Target breach at the end of 2013 involved data from 110 million consumers.
The hackers gained access to a database that contained eBay customers’ names, encrypted passwords, e-mail addresses, physical addresses, phone numbers and dates of birth. EBay says it discovered comprised log-in credentials two weeks ago.
As a precaution, eBay today asks all users to change their passwords, which it bills as “a best practice and will help enhance security for eBay users.” EBay says changing passwords is the best way to ensure consumers have a “safe, secure and trusted experience on eBay.”
The news comes as a new report details the lax password security of popular web sites, including eBay’s. Password management company Dashlane analyzed in the second quarter of 2014 22 password criteria for 80 of the web’s most popular web sites. The firm assigned a positive or negative value to each of those criteria and awarded each site a score on a possible scale of -100 to +100. A score of +50 was considered the minimum for good password practices.
EBay had a score of +30, which puts it below the acceptable threshold. Dashlane docked eBay points for allowing consumers to attempt to log in after several failed log in attempts. EBay allowed it at both of the study’s thresholds, after four failed log ins and after 10 failed log ins. The study did not indicate when or if eBay users’ accounts were locked out. EBay ranked 19 in the list of 80 sites.
Ilia Kolochenko, CEO of information security company High-Tech Bridge, says the most dangerous consequence of an attack like this is the opportunity for hackers to use the breached password on another site. “Encryption does not really help, as our penetration testing practice shows over 80% of encrypted hashes [used on web applications] can be bruteforced within 48 hours,” he says. “But even a 50-random-characters password cannot guarantee a 100% security, as hackers can just intercept passwords in plain-text when users are logging-in for example. This is why eBay is doing a good thing by advising users to change the passwords asap; people should not rely on encryption.”
A new report from security firm Trustwave found nearly 25.0% of the usernames investigated used the same password across multiple sites.