Ebay will be forcing users to change their passwords later today, according to their announcement. According to the announcement, employee credentials were stolen and used to access internal databases containing “customers’ name, encrypted password, email address, physical address, phone number and date of birth.” The theft was not discovered until a couple of weeks ago even though it took place nearly 2 months ago. This is another example of why proactive log monitoring and correlation is essential for organizations with any type of sensitive data. As the data breaches continue, Target is quickly finding itself among company.
Ebay says that passwords were encrypted, but as the breaches have continued to pile up, we have seen time and time again organizations’ definitions for encrypted passwords are loose at best. We have no choice but to assume the passwords are compromised. Not only should people change their eBay password, but the passwords for any other accounts that use that same password.
“Beginning later today, eBay users will be notified via email, site communications and other marketing channels to change their password. In addition to asking users to change their eBay password, the company said it also is encouraging any eBay user who utilized the same password on other sites to change those passwords, too. The same password should never be used across multiple sites or accounts.”
Users need to be vigilant for phishing emails purporting to be from eBay and make sure of the legitimacy of the email.