Hackers have stolen the personal details of 145m customers
from eBay, including names, email and postal addresses, phone numbers and dates
of birth. How worried should you be, what can they do with this data and what
steps can you take to limit the damage?
 |
| eBay has handled the loss of data extremely poorly, with experts and MPs castigating the company for what appeared to be serious delays in informing their customers after the initial breach at the end of February |
Hackers have stolen the personal details of 145m customers
from eBay, including names, email and postal addresses, phone numbers and dates
of birth. How worried should you be, what can they do with this data and what
steps can you take to limit the damage?
Encrypted passwords were also snatched, so the company is
taking the precaution of telling users to choose new ones, even though it’s
unlikely they can be deciphered on a wide scale. No financial data has been
lost, eBay claims, so any credit card information stored with PayPal is also
safe.
 |
| Ebay Hack |
The main threat is that the data will be used to commit
identity theft and as a handy database for spammers. With those personal
details hackers will be able to craft convincing messages which appear to come
from eBay, your bank or any other reputable organisation - many people will be
fooled into handing over yet more data that exposes them further.
Imagine a nefarious character who spots someone complaining
on Facebook about being unable to log-in to online banking. They look up their
name in the list of stolen eBay records and find a match; they now have an
address, date of birth and phone number which can lend a sense of authenticity
to a faked email from the bank requesting account numbers and sort codes in
order to resolve the problem. Once this is handed over, the hacker is one step
closer to stealing the victim’s money.
Or, in a less targeted attack, they could send 145m people
an email purporting to be from a certain bank and requesting that they follow a
link and reset their password - the link will point to a fake version of the
bank’s website which is there to harvest data. This scattergun approach needs
only a tiny percentage of people to comply in order to prove hugely lucrative.
This spam email could also be used to get people to click on
links or download files which infect their computers with malware. This could
be used for a range of reasons: to send yet more spam email, to mine Bitcoins
or even to spy on people through their webcam.
Of course, not everyone will fall for these tricks, but they
don’t need to - with 145m records there will be enough who do. Someone will be
making a fortune with this data. The stolen details will likely be treated like
a commodity, sold and resold on underground websites and used to con money out
of vulnerable people by various groups for years to come.
We’ve already seen criminals trying to con each other;
several different samples of data purporting to be from the eBay leak have been
published online, acting as proof of possession in a form of underground advert
which demands money for the full file. We’ve been told by security researchers
that this data is old information from previous hacks, crafted to look new. One
of these adverts requests payment in Bitcoin - we have investigated and
verified that nobody has yet fallen for the trick.
In truth, there is little that can be done about this loss
of personal details - the cat cannot be put back in the bag. It is worth
checking your credit rating with services like Experian, as an unexpected
change in credit rating could be a warning sign that you've become a victim of
identity theft.
Changing your eBay password is a vital step which should be
taken quickly. You should also change any other website passwords where you've
used the same phrase, as hackers will often try the same email and password at
other sites knowing that many struggle to remember multiple passwords.
But what should your new password be? The more simple it is,
the easier it is to crack.
Often an attacker will use a “brute force” approach, which
uses a computer to rapidly try every possible combination of characters until
it finds the correct one. Obviously, the shorter a password is, the less time
it will take to break. But a long password is both hard to type in and to
remember, so a sensible balance must be struck.
Brute force attack software will often use dictionary files
that contain regularly used combinations of letters or numbers, inputting them
one-by-one until the correct one is found. Some are clever enough to also try
common words typed both forwards and backwards, and abbreviations.
So it is advisable to be as random as possible and perhaps
use intentionally misspelled or fictitious words. Certainly, choosing names,
birth dates or places is not the best way to protect your account.
Microsoft recommends that passwords are at least eight
characters long, while many websites will demand that it is made up of both
numbers and letters, often both uppercase and lowercase. As much complexity as
you can practically live with is advised. Some sites will allow the use of
symbols such as %, &, * and #.
It is also advisable to change your passwords regularly, so
that if any are exposed, the attacker will only have a limited opportunity to
use your account.
One thing worth considering is using a password manager such
as LastPass. These products will keep all of your passwords in one place,
protected by a master password. They will automatically generate long, secure
passwords for you, and prompt you to regularly change them.
If you change your eBay password and have not used the same
password for other services, then you should be safe.
Ref: The Telegraph!!
