After hackers stole e-mail addresses and other user data from EBay's network, the company announced today that it would e-mail users to suggest they change their passwords. That doesn't make a whole lot of sense.
The problem with this approach is that the hours immediately following a breach are prime time for hackers. Cyber-criminals are consummate opportunists. They scrutinize the news looking for ways to craft fraudulent and timely messages to trick people into clicking on them. The millions of EBay users who may have caught wind of the breach after seeing a headline today are more likely to fall for an e-mail scam prompting them to click a link and input their log-in information. A similar technique was used by Chinese military officers to hack into U.S. companies, showing that in cyber-security, people are their own worst enemies.
Instead of e-mailing the auction site's more than 145 million active buyers worldwide, EBay could have immediately done something that Adobe Systems, LinkedIn and Evernote all did after their recent high-profile hacks: change users' passwords. Automatically resetting accounts is becoming a "common courtesy" after many breaches, says Lysa Myers, a researcher with Slovakian security firm ESET.
EBay said in a statement earlier today that there's no evidence of unauthorized activity resulting from the breach. Kari Ramirez, a spokeswoman for EBay, now says all users will "shortly" be required to change their passwords before logging in.
"Far too many people will simply ignore the notification and do nothing," says Brian Contos, a vice president at security firm Blue Coat Systems. "Companies should automatically reset passwords, notify users why this is being done when they log in and hopefully allow more robust alternatives," such as two-step authentication.
For a case study in the danger of waiting, look at what happened to LinkedIn. A day after the company disclosed in June 2012 that encrypted passwords for some users had been stolen, 6.5 million LinkedIn passwords showed up on a hacker site. The company initially reset only the passwords it believed to be cracked. Later, LinkedIn disabled the passwords of other users who might have been affected.
Contrast that with Evernote's response to a breach of its network in March 2013 where user data — including passwords protected by strong encryption — were stolen. The Redwood City, California-based company went all the way. It disabled all passwords and required users to create new ones the next time they logged in, a step the company said was taken out of "an abundance of caution."
A blanket resetting of passwords can irritate users and in the case of e-commerce, slow or deter purchases. But trusting people to protect themselves is not a good form of cyber-security.