In the wake of one of the biggest cyberheists ever, TechRadar Pro received dozens of comments from security specialists, arguing and debating about the reasons and the consequences of this high-profile cyberattack and most importantly, how end-to-end security need to change. We complied the best of them below.
Using the same passwords?
" While eBay has confirmed that no financial information has been breached, personal information, including date of birth, names, emails, phone numbers and postal addresses have all fallen into the hands of the hackers. With such a delay in acknowledging the attack, the true extent of the data loss is not yet known and it's imperative that further analysis is done before we can make any further assumptions. For now, when eBay users receive the request to change their password, they should do so immediately and do the same on all other sites where the same password has been used. The information gained by the hackers is also useful in phishing attacks and for secondary password (reset) information – the effect of this falling into the wrong hands should not be under-estimated." Dr Guy Bunker, SVP Product at Clearswift.
"The worrying thing is that many people use a single password for more than one internet site and so if the passwords are compromised, they could be at further risk from cyber-criminal activity. The time lapse here highlights the urgency for customers to change not only their eBay and PayPal passwords but also on any other site that they use the same log-in details for. Many people will also be asking whether this is related to Heartbleed. I suspect that the two are not linked, although of course we can't rule it out. The Heartbleed bug has been around for two years and was discovered after this attack took place. However, eBay states that the leaked information was a result of a compromised database, whereas Heartbleed is a vulnerability that lies in the mechanism used to encrypt data." David Emm, senior security researcher at Kaspersky Lab.
Blame the employees
"eBay's won't be the last organisation to fall foul of weak employee security practices, but it can be a learning point for big and small businesses. Enforce regular password changes, educate staff about the real risks associated with keeping passwords written down in plain sight or in obvious hiding places like the top drawer of a desk, monitor networks for rogue Wi-Fi access points and invest in software to let you manage, control and isolate the barrage of mobile devices that staff and visitors bring in to the workplace and connect to public and private networks." Sergio Galindo, general manager, Infrastructure Business Unit at GFI Software
"The attack raises a number of questions, not least 'how did this happen in the first place'? Reading between the lines of the company's brief statement it appears that employees have been hit by a phishing attack, falling for a scam and tricked into giving their credentials away. If this information was only protected by username and passwords, and employees were so easily duped it really is concerning. As one of the world's leader e-tailers eBay should be treating information as we would the Crown Jewels - through layers of protection." Professor Alan Woodward, Department of Computing at the University of Surrey.
