Quick Links
News


< Back

Security : Technology : Network : Cloud

Unlikely Attackers Could Use Stolen Ebay Passwords




Brendan Rizzo
Technical Director
Voltage Security

Commenting on news from eBay about compromised passwords and customer info, Brendan Rizzo, Technical Director for

“It is unlikely the attackers would be able to use the stolen passwords, since eBay, abiding by good security practices, should have ‘hashed’ and ‘salted’ its passwords.   If this was performed correctly, then users should not be concerned about their passwords being compromised.  The more worrying aspect of this disclosure is that it appears that the other personally identifiable information was left completely unprotected.  This information would give the attackers almost all of the information they need to undertake fraudulent activity on the compromised user's behalf.

This breach highlights a need for companies to place tighter controls on how user credentials are stored and protected.  If data is left unprotected, it's not a matter of if it will be compromised - it's a matter of when.  While there is no doubt that eBay has top of the line security in place to guard against attacks, even the best security systems in the world cannot keep attackers away from sensitive data in all circumstances.  The length of time it took eBay to discover this attack is evidence that attackers can still find a way to slip through a company's defenses undetected.  When a company is storing sensitive information about their customers, the risk is to the data itself.  Therefore, a company needs to assume that all other security measures may fail, and the data itself must be a primary focus for protection - usually via encryption.  It is critical to note that this protection needs to include all potentially sensitive information and not just financial related data.

If eBay had employed format-preserving encryption to protect the data itself, the attackers would have ended up with unusable encrypted data instead of the current outcome where users' personal information has now been exposed to an untold number cyber criminals.”

Voltage Security:
For more information go to www.voltage.com

 

 
Advertise your product/service here!
About Us Editorial

© 2019 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY