eBay, the popular online auction site and service, is warning all of its customers to jump out to its web site to change passwords. No matter if the account has been used recently or not, personal information stored in each profile is vulnerable to theft.
One could attribute this to hackers, but that doesn’t appear to be the case in this instance since it is being reported as an internal security breach. eBay is saying that a small number of its own employees' logon credentials were stolen and used to gain access to the company's network. A database full of user information was stolen affecting personal data for over 145 million of its customers.
Only making the news rounds today, the theft actually took place two months ago. Information obtained by criminals include names, account passwords, email addresses, physical addresses, phone numbers, and birth dates. I guess a happy hacker will simply send you Birthday spam. Despite the database theft taking place 2 months ago, eBay has stated they only discovered that the employee credentials had been compromised two weeks ago, further compounding the issue.
Concerns that PayPal might also be affected by the breach have been lobbied, since PayPal is a subsidiary of eBay, however the company suggests that PayPal is unaffected due to being kept on a separate network. Still, I'm not sure how much assurance that gives right now.
eBay's security woes is just one more in a growing list of major data breaches over the past year. Target, AOL, Adobe, and many more have been successfully attacked with customer's personal data as the objective.
Cloud security is handled much differently than general business. For most companies, login passwords are required to be changed on a regular cadence and super strong passwords are enforced. With so many Cloud companies trying to lure corporate users to use their infrastructures instead of those supplied by the local network, Cloud security is going to need to change. Two-factor authentication is one thing, but most major web service customers are never required to change logon credentials, primarily due to inconvenience. I know I'm at fault. I rarely change my password for the web-based services I use and for a lot of them I either use the same password or some variation. And, just like any end-user, I get annoyed if a web service asks me to change it.
Things need to change and dramatically if the Cloud is going to be any sort of viable for corporate users.