eBay Hacked, Top Things I Would Do If I Were You

May 23, 2014
Kevin Lam

ebayThis week eBay reported that they discovered that their customer database was hacked about two weeks ago and urged their customers to change their passwords.  In fact, the actual compromise happened in late February — which means the hackers had a big head start.

eBay is asking customers to change their passwords.  That’s great, and you should. But here’s what else I would do if I were you (i.e., as someone who professionally breaks into computer systems for a living).

Tip #1: I Would Actually “Change” Your Password

The obvious thing to do is change your password, and that’s what eBay is recommending. However, there’s a proper way to change your password and incorrect way to do it.  Most people change their passwords by adding another character to the end of it. For example, if their password was “seahawks” (sorry SF readers), then most people just add a character or two at the end like “seahawks&&” or “seahawks1”.  Not good enough. Password changes like these can be broken in seconds, probably less. You need change your passwords to something completely unique, strong and different from the old password. What I am doing: I am changing my eBay passwords to something completely different than all the passwords I use anywhere on the Internet and my old eBay password.  It’ll be strong and hard to guess by hackers.

Tip #2: I Would Change Your PayPal Account Password Too

The eBay report indicated that PayPal accounts were not affected and that hackers were not able to access financial data. I am a bit skeptical. The reason being is you can link your eBay account to your PayPal account for faster purchases. Something about your PayPal account has to be saved by eBay (maybe it’s your PayPal password, maybe it’s an authentication token, who knows) in order for this to be possible. So while reports have “no evidence of …” plastered all over them, the developer and security pro in me is skeptical. What I am doing: I don’t work at eBay or PayPal so there’s no way for me to know for sure. But I am not taking any chances either with my money. I am changing my PayPal password as well.

Tip #3: I Would Move Your PayPal Balance Until Investigations Are Completed

Think about it. Money is the prize here. Not your phone number, not your email address and probably not your birth date — who cares anyways, hackers can get that off of Facebook anyways. It’s money. So you can be sure that if the hackers got any PayPal data, encrypted or not, they are working on getting access to your account right now. Not to mention that hackers had a three month head start. All reports I’ve read are all saying that “there was no evidence that PayPal accounts were affected”. But whenever I see “no evidence of …” I always think “that they know of”.  See my point? What I am doing: I am transferring my PayPal money back to my bank account until investigations are completed, systems have been validated clean and conclusive facts reported.

Thanks for reading this week’s Data Protection Friday article, see you all next week.

Kevin Lam signature


P.S. Don’t forget if you’re in the healthcare industry that I am presenting a free Webinar on June 4, 2014 at 1:00 pm EST on “Hacking into Your Healthcare Systems: Top Signs You’re Prime for a Data Breach in 2014”.  If you would like to attend for free, use this link: https://attendee.gotowebinar.com/register/9060275238459733762