Although it took eBay itself an absolute age to disclose that a serious breach had taken place, and then completely screwed up the process of ensuring users change their passwords, this should come as no real surprise. Happygeeks' Law states: the larger the corporate, the longer it takes to admit anything and the bigger the chance it will handle it badly. What is surprising is that it has taken so long for the stolen database of user credentials to go up for sale on the dark market.
If you consider that the breach itself happened a couple of months ago, and eBay has known about it for a couple of weeks, why is it only now that the database has been put on the open market? The obvious answer is that the value of that database will increase once everyone knows about, all that free publicity etc. But the obvious answer is also the wrong one; this kind of information is most valuable before anyone knows that it has been compromised. It's like a zero day thing, if nobody knows it has been stolen then nobody is prepared for an attack. Now the news is out, now that eBay and eBay users alike are aware of the breach, passwords will (eventually) be changed and everyone will be watching for unusual activity. That devalues the data, not adds a premium to it.
So why put it up for sale now? Good question, although a better one would be 'is this actually the stolen database or not?' There are certainly already a number of fakes out there, chancers cashing in on the media attention, looking for kudos as well as cash, but one particular database that's on offer for 1.45 bitcoin (about $775 at the time of writing) has caught my attention. Not least as it contains real data of the right sort, and lots of it without the usual duplicates to bulk a fake-base up. How big? This one is more than 20Gb and contains more than 145 million unique records which all sounds about right.
Trey Ford, who is a global security strategist at IT security experts Rapid7, has been analysing the data that is being offered as a free sample to interested parties (consisting of 12,663 records) and found a number of matches between email prefixes and eBay profile names. "This doesn’t necessarily mean these credentials are from the eBay attack" Ford admits "it could be that people use the same handle across multiple sites including one that was previously compromised, and the creds are actually from that."
Indeed, Ford also found a number of matches between the email addresses and a popular Malaysian web forum. Which could well point to source of the credentials on offer, rather than being from eBay. Not forgetting, of course, that there is no way of saying how representative that sample file is of the information contained in the entire database being sold.
On the good news front, what Ford has managed to ascertain from the sample data he's been looking at is that "cracking the passwords will take considerable time" unlike the LinkedIn breach when password were quickly cracked as they were just using SHA-1 hashing for storage. "This credentials set is using PBKDF2 (Password-Based Key Derivation Function 2) SHA-256 hashes" Ford says "which means they employ a strong hash function and also intentionally make cracking them more difficult and slow by individually salting and using a high number of hash iterations."
Assuming this is the eBay data then it's good news, however we don't know that it is and eBay is (quite rightly) saying nothing about the precise method it uses to secure password storage. If it's genuine or not, I still maintain that eBay should be forcing everyone to change passwords by simply invalidating ALL existing passwords. Sure, this would be a massive pain in the backside, but it would also make that stolen dataset a lot less valuable and reinstate some degree of belief that eBay both understands security and cares about its customers.