Genuine Curiosity

Author Dwayne Melancon is always on the lookout for new things to learn. An ecclectic collection of postings on personal productivity, travel, good books, gadgets, leadership & management, and many other things.


Don't be a victim in the eBay data breach

If you're an eBay user like me, you'll have seen the news about their recent data breach in which users' names, email addresses, physical addresses, phone numbers, date of birth, and encrypted passwords were taken.  As part of my day job, I have been involved in sharing information about this incident, and thought I would share some of my thoughts here.

From the information publicly shared by eBay, it appears that the data breach involved securely encrypted passwords, which makes it more difficult to gain access to users’ eBay accounts en masse, as it will require brute force decryption (i.e. high-speed guessing) to determine the specific characters in an individual's password.  If you use a simple and/or a short password, the chances of them guessing your password quickly are much higher and if you re-use that simple password on other sites, your risk goes up greatly.  Remember, once the attackers have your email address and at least one of your simple passwords at that point, they can start trying that combination on other sites to see if they can get lucky.

The fact that user email addresses, physical addresses, and dates of birth were taken in the breach is more concerning.  Criminals could use your personal information to masquerade as eBay customers on other sites, or perhaps use knowledge of that data to ‘social engineer’ their way into users’ other accounts on other services.  Unlike the passwords themselves, the other user-specific information was not encrypted and therefore could be easily reused by attackers.

eBay will ask you to reset your password - do it, even though it appears they will make this optional.  Furthermore, use a complex password - I suggest that you use a product like 1Password or LastPass to help you manage passwords online (I use 1Password, personally). These products can help you create a strong password by suggesting and saving a highly complex password.  Of course, you should also make certain you are not using your eBay password on any other sites.

Many eBay users also have their accounts connected to PayPal for payments (PayPal is owned by eBay, but their statements indicate that PayPal was in no way involved in the data breach).  For additional security, I recommend you make use of PayPal’s optional feature which uses 2-factor authentication to verify the users’ identity prior to making a payment (you can find more information on PayPal's site).  Given that PayPal is linked directly to your bank accounts, this is a best practice even if there had not been a data breach at eBay - I have been using this multi-factor approach for a couple of years and it adds an extra step in the buying process, but provides a great deal more security.

Finally, eBay users have long been a popular target for phishing emails, and users must be especially wary during incidents like this.  To be safe, do not click on links in emails about eBay security or password changes; instead, type the eBay URL directly into your browsers and log into the site that way to prevent disclosing your credentials to spoofed, malicious copies of the eBay site.