2014 Cyber Attack on eBay

        
        On May 21, 2014 eBay announced a truly massive data breach of sensitive data on 145 million customers, making it perhaps the second largest data breach at that time. This data breach was happened as the information like Customer name, Email address, Physical address, Phone number, Date of birth was not encrypted at all instead was stored as a plain text.
What was compromised: 
Usernames, encrypted passwords, phone numbers, physical addresses and date of birth.
What was not stolen: 
Financial info (stored separately and encrypted)
EBay was using encryption, which is the more easily broken. Many consumers use the same password on multiple sites. The attackers could quickly take over accounts across the web wherever a user reused their username and password on another site
        The responsibility for attack was taken by "Syrian Electronic Army"though eBay did not confirm about it. The hack was high profile and left a question mark over eBay's security. Also motivation for hack was Hacktivism and not criminal. 
Method of Attack:
Initially the login credentials for 3 employees were compromised. Possible approaches were found such as:  
1) Web application vulnerability:
Michael E., another security researcher from Germany reported The Hacker News that he found a (XSS) vulnerability on eBay's auction pages that allowed hacker to inject arbitrary HTML and Javascript code into the eBay's website which would execute unauthorized Javascript code on the user's ' browser with a payload to steal their account cookies, each time user visits any infected auction page created by attacker
2) Cookie re-use vulnerability: 
     In a separate experiment, it was discovered that eBay accepts the same login cookies again and again,even if the victim has logged out or reset their passwords. Which means one can steal eBay users' account cookies in order to get an unauthorized access  to the users' respective accounts. Without knowing their previous or updated passwords.
EBay was criticized for not informing customers of data breach quickly enough. They took 2 weeks after the discovering the breach.       
 Solutions taken:
1) Users were advised to change passwords
        Customers were advised not to reuse the password for multiple accounts and they should change them frequently. Also customers who have ever shopped on eBay, were asked to monitor their credit using one of the many credit monitoring services.
2) Three US States (Florida, Illinois, Connecticut) launched a joint investigation into the attack, with the Federal Trade Commission (FTC)


Comments

  1. UnknownApril 16, 2018 at 7:26 AM

    The company should have considered such a scenario beforehand and upgrade their security levels

    ReplyDelete
  2. UnknownApril 16, 2018 at 8:09 AM

    Customer should check the website before providing banking password. Customer can check http https tag on the website.

    ReplyDelete
  3. shrinish_001April 16, 2018 at 5:25 PM

    Precisely written ! Information on credit card being stolen is a very sensitive issue and could lead to loss of huge amoujt of money. Multiple layer security should be used in suh a case. Also different passwords must be used wherever possible to avoid easy hacking of the account. Two vulnerabilities which were the causes of hack are explained well !

    ReplyDelete

Post a Comment