If you are an eBay user, you’ve probably already received an email from their corporate HQ encouraging you to change your password. The mass mail appears to be related to last year’s compromise of eBay, and is signed by President of eBay Marketplaces David Wenig. The email states that “our company discovered a cyberattack” and that this attack “compromised a database containing eBay user passwords.”
Given eBay has in excess of 113 million users and that password credentials would almost certainly be stored in a database table along with the user’s email address, such a breach could potentially be a gold mine for attackers looking to capitalize on users who have reused their password amongst multiple Internet services. The passwords were almost certainly hashed, but given human nature and the vast dictionaries used by those eager to exploit credential dumps it would not be unreasonable to assume that at least one third of the passwords would be recoverable.
The mass mail out is an unmitigated PR disaster for eBay, who state that they believe the compromise occurred somewhere between February and March of this year. According to eBay, the leaked dump includes the physical address, date of birth and full name of the eBay customer – pretty much an identity thieves’ wet dream. There is the potential for eBay to become the new Sony if the stolen information makes its way onto the wider Internet and is widely misused.
The saddest thing about this whole thing is that eBay has been aware of said compromise for quite some time and has only now elected to inform their customer base. How much avoidable damage has been done to their clients as a result of their deliberately sluggish disclosure?