eBay hacked, criticised for slow response

Security intelligence questioned at auction site

EBay has become the victim of a cross-site scripting attack, which sent some of its users to a malicious website designed to steal their credentials.

An eBay customer alerted the auction site to the attack on Wednesday, but the BBC claims that the firm only addressed the compromise after it called to check on the issue more than 12 hours later.

This incident follows an eBay database breach in May and a scam affecting its StubHub website in July.

Paul Ayers, vice president EMEA at Vormetric, said:

"It is unfortunate that eBay has once again found itself under fire for failing to respond adequately to a data breach incident. To make matters worse, this latest report comes just a little too soon after attacks on its database and daughter site, Stubhub, which exposed user credentials."

"Data is becoming an increasingly valuable currency, and hackers are becoming sneakier in their quest to steal it. For businesses, this has greatly increased the risk of reputational damage and called for a step change in current data security policies, particularly as consumers are rapidly losing patience with those who cannot safeguard their private information. For eBay, this hat-trick of security incidents will surely do the company no favours in terms of restoring and maintaining consumer confidence.

"In this day and age, businesses of all sizes need adequate security intelligence mechanisms in place to monitor all activity across their networks, so that they can spot any suspicious activity and stop hackers in their tracks. As has been shown, hackers will find one way or another to get access to data. As a result, encryption of sensitive data, regardless of where it resides, is the only way to ensure that it remains illegible and essentially useless if, or when, it falls into the hands of cybercriminals. Had appropriate lessons been learned from the previous breaches, this might have played out differently. As it stands, this incident serves as yet another example of why a different approach to data security – one that is proactive rather than reactive – is so urgently required."