Skip to Main Content
May 23, 2014

The eBay Breach - Woa! What response?

Written by David Kennedy
Penetration Testing Security Testing & Analysis
The eBay breach has been making headlines across the world with it being possibly the second largest breach in history. We can't really go into much details on exactly what happened because eBay has been tight lipped on communicating any specifics on anything. What we know thus far is Kari Ramirez, a spokeswoman for eBay said “For the time being, we cannot comment on the specific number of accounts impacted,” and then said “However, we believe there may be a large number of accounts involved and we are asking all eBay users to change their passwords.”. What appears to be impacted is anyone who used eBay and had an active account. Early reports indicate that the initial point of entry was through compromising employees and extracting data from a single database infrastructure which includes everyones user data (oops). Now here is where we start to get into some interesting areas. The lack of response from eBay seems to indicate some major internal security issues, at least from an outside perspective. When a breach occurs, an organization will have practices response procedures and has their ducks in a row. An organization with a security program can communicate to the public on exactly what happened in order to give some level of assurance. What we've seen from the eBay responses has been the polar opposite. As an eBay user, logging into the site, there were no notifications to customers, warning messages, or forced password resets. You even had to dig through a few menus to change your password. Business as usual? Looking in from the outside, this is a clear indication of some significant internal security problems. One thing that Target has taught us is that a major breach like this will have major implications through the entire organization. While we don't know the full extent of the breach, eBay's major business is allowing customers to make purchases on items they bid on - this has been massively impacted and will have a long lasting effect on its brand and customer assurance. Even more alarming is the breach spanned a large amount of time and possibly knew about it for upwards to a month before telling the public. Take everything we know and bundle it in with the lackluster response coming out of eBay, this is possibly an even larger disaster based on the lack of communication to the public. For a company that supposedly has a formal security program - peering in from the outside, it doesn't look good. One thing to state is that a breach can happen to anyone. We have to accept that - even the best can. Hackers are creative, dynamic, and always changing their techniques. The fault in this article isn't on the breach itself, it's on the troubled response from the eBay and what appears to be an organization in disarray when it comes to responding to a security incident. Recommendations? eBay - You need to start communicating everything right now, be open with the public, and show what you are doing to fix it. You are already beyond a reasonable timeframe, but you still *might* be able to save some face.