eBay announced this past Wednesday it was hit by a huge cyber attack sometime during the February and March time period of this year.
The attack exposed the personal data of up to 233 million registered accounts. Attackers gained unauthorized access to eBay’s main database which contains usernames, passwords, email, and physical addresses. eBay’s response to the crisis has been criticized as being more embarrassing than the attack itself. It took eBay three months, until this May, to notice the data breach, after which it waited two weeks to make an announcement. eBay is now being investigated by three states — Connecticut, Florida, and Illinois — in a joint probe into its security practices.
On top of the massive cyber attack, researchers have found that eBay’s site is vulnerable to a serious flaw that could allow an attacker access to user accounts. The flaw is called a cross-site scripting (XSS) vulnerability. It was discovered by a 19-year-old college student in the United Kingdom. In a nutshell, an XSS flaw can allow an attacker to inject malicious code into an otherwise seemingly safe site, intercept cookies in a user’s session and — this part is especially scary to think about — gain access to the user’s account and interact with the site as that user.
Along with eBay, CNN and PayPal are two other major sites that have experienced XSS vulnerabilities.
Hopefully, among the lessons learned from eBay’s data breach and XSS vulnerability, is that eBay needs to take measures to tighten up security holes in their site. And, other businesses need to take into account why eBay’s site was exposed and look into how exposed their own sites might be, and what proactive security steps can be taken.
For their part, eBay is urging all its users to change their account password. Additionally, when faced with having to make a password change, it is highly recommended to use a combination of letters, numbers, and symbols. Home computer users should also make sure they keep their computer operating systems, along with all installed software, up-to-date with the most current patches.
No comments yet.