Thursday, May 22, 2014

More than 15 million Britons at risk of identity theft after eBay hacked - Telegraph.co.uk

More than 15 million British users of eBay could be at risk of identity theft after their personal data were stolen in the world's biggest online security breach, the auction website warned on Wednesday night.

The company told all of its customers urgently to change not only their eBay passwords but also those for any other accounts with the same password.

It admitted that the name, address, date of birth, telephone number, email address and password of every eBay account holder – 233 million people worldwide – was in the hands of the hackers.

After the announcement, MPs accused the US-based firm of an "inexcusable" delay in admitting that its servers had been accessed by hackers up to three months ago. Security experts warned that the delay greatly increased the risk of criminals using the information to access bank accounts and other online accounts, particularly in cases where people use their eBay password for several websites.

The danger goes beyond the internet, because some telephone banking services accept a date of birth and address to verify the identity of a customer.

The auction site admitted that it discovered two weeks ago that the personal information had been stolen. Between late February and early March hackers accessed eBay's servers by gaining access to an employee's login credentials and using his or her internal passwords to access and download the information.

The Commons home affairs select committee, which published a report on cyber crime last year, will write to eBay demanding an explanation.

Paul Martini, the chief executive at iboss Network Security, described eBay as the "golden goose of hacking targets" because of the vast amount of information it holds. He said: "The damage could well have already been done, as the time lag between the cyber breach and the discovery of the breach is in the months. Cyber hackers may not hit the obvious target of siphoning money or goods out of eBay; they may take the personal information gained from the database and target other popular sites."

Although all of the passwords were encrypted, computer experts said that in the three months since obtaining them the hackers could have deciphered them and used them to commit fraud. Other details, such as names, addresses and dates of birth, were not encrypted. On Wednesday night, eBay, which also owns the online payment service PayPal, insisted that no financial data were stolen and that PayPal's servers had not been compromised.

However, David Emm, a senior security researcher at Kaspersky Lab, said: "The worrying thing is that many people use a single password for more than one internet site and so if the passwords are compromised, they could be at further risk from cybercriminal activity."

Alan Woodward, an independent security consultant, added: "The hackers have a nice neat pile of personal information which can be used to steal identities or even help them get around other systems through password reset scams."

Keith Vaz, the chairman of the Commons home affairs select committee, said: "I am very concerned. The issue of cybersecurity is now considered to be one of the main areas of fraud and crime. We have urged companies to take much more seriously the threat of hacking. It is inexcusable that a company as important as eBay has failed to inform its customers immediately that this has occurred. We need a full explanation. We will be writing to them to ask how this happened and whether this problem has been resolved."

The company refused to say why it had waited two weeks to tell customers about the security breach. It said "extensive tests" on its networks had found "no evidence" of unauthorised accessing of eBay accounts. However, users who do not change their passwords in the coming days will be forced to do so when they next log on.

The theft of 223 million eBay users' details makes it the most widespread computer hack in history. The previous record was a long-term hack of 160 million credit card numbers through various US businesses from 2008 to 2013.

Source : http://www.telegraph.co.uk/technology/news/10848080/More-than-15-million-Britons-at-risk-of-identity-theft-after-eBay-hacked.html