Anatomy of a Breach

Anatomy of a Breach: eBay — 145 Million Accounts Compromised Through Employee Credentials

> series: anatomy_of_a_breach —— part: 065 —— target: ebay —— accounts: 145,000,000 —— entry: employee_credentials<span class="cursor-blink">_</span>_

Hedgehog Security 31 May 2014 12 min read
data-breach ebay 145-million employee-credentials credential-theft ecommerce series
Breach #065

145 million accounts. All it took was a few employee passwords.

On 21 May 2014, eBay disclosed that attackers had compromised a small number of employee login credentials between late February and early March 2014 and used them to access a corporate database containing the personal information of approximately 145 million registered users. The stolen data included names, email addresses, physical addresses, phone numbers, dates of birth, and encrypted passwords. Financial data (credit card numbers) was stored separately on PayPal's systems and was not compromised.

eBay advised all 145 million users to change their passwords — one of the largest forced password reset operations in internet history at the time. The company faced criticism for the delay between discovering the breach (early May) and disclosing it (21 May), and for the lack of clarity about how the employee credentials were initially compromised. The breach reinforced a pattern documented throughout this series: compromised employee credentials provide the most reliable path to mass data theft, and multi-factor authentication is the most effective defence.

The Attack Path
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Employee credentials → corporate database → 145 million records.

The eBay breach followed the same attack chain as the Target breach six months earlier: compromised credentials (whether through phishing, credential stuffing, or another method) provided access to internal systems, and from those internal systems, the attackers reached a database containing the organisation's most valuable data. The gap between the employee access point and the customer database — the absence of segmentation, monitoring, and additional authentication — was the vulnerability that turned a credential compromise into a 145-million-record breach.

No MFA on Employee Access
The compromised employee credentials provided access without a second factor. MFA — now a <a href="/cyber-essentials">Cyber Essentials Danzell auto-fail criterion</a> — would have prevented the stolen passwords from being usable. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses MFA deployment across all access paths.
145 Million Records Accessible
A small number of compromised employee accounts could access a database containing 145 million user records. The principle of least privilege — limiting each account's access to the minimum required for their role — was not adequately enforced. Our <a href="/penetration-testing/infrastructure">penetration testing</a> assesses privilege levels and database access controls.
Weeks Between Breach and Disclosure
The breach occurred in February-March, was discovered in early May, and was disclosed on 21 May. Under GDPR (which was not yet in force), organisations must report breaches within 72 hours. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects breaches faster, and <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides the incident response capability to manage disclosure obligations.
Passwords Encrypted, Not Hashed
eBay described the passwords as 'encrypted' rather than 'hashed' — a distinction that raised questions about whether the passwords could be decrypted if the key was obtained (as with <a href="/blog/anatomy-of-a-breach-adobe">Adobe's 3DES catastrophe</a>). Our <a href="/penetration-testing/web-application">application testing</a> verifies that password storage uses appropriate one-way hashing, not reversible encryption.
Lessons

MFA. Segmentation. Monitoring. The same three answers.

The eBay breach, like Target before it, demonstrated that compromised credentials are the master key — and that the only reliable defence is layered: MFA to prevent credential reuse (Cyber Essentials), segmentation to limit what compromised credentials can reach (infrastructure testing), and monitoring to detect when compromised credentials are being used anomalously (SOC in a Box). Every major breach in 2013-2014 — Target, eBay, JP Morgan — started with compromised credentials. The defence is the same every time.

Credential Security

Target. eBay. JP Morgan. All started with compromised credentials. Is your MFA deployed?

<a href="/cyber-essentials">Cyber Essentials</a> mandates MFA. <a href="/penetration-testing/infrastructure">Penetration testing</a> validates segmentation. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects anomalous credential use.

Commission a Security Assessment Next: Operation Tovar
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 May 2013

Anatomy of a Breach: LivingSocial — 50 Million Accounts and the Daily Deals Data Haul

Breach #053. In April 2013, daily deals website LivingSocial disclosed that attackers had compromised approximately 50 million customer accounts — names, email addresses, dates of birth, and bcrypt-hashed passwords. The breach of the Amazon-backed platform demonstrated that even companies with strong password hashing could suffer massive data theft when network security fails.

data-breach livingsocial
11 min read
Anatomy of a Breach 30 September 2013

Anatomy of a Breach: Adobe — 153 Million Accounts and the Largest Data Breach in History

Breach #057. In October 2013, Adobe disclosed that attackers had compromised approximately 2.9 million customer accounts. Within weeks, security researcher Brian Krebs revealed the true scale: 153 million accounts — making it the largest data breach ever reported at the time. The passwords were stored using 3DES encryption (not hashing) in ECB mode, which allowed researchers to crack millions of passwords through pattern analysis. Adobe also lost source code for Acrobat, ColdFusion, and other products.

data-breach adobe
14 min read
Anatomy of a Breach 31 January 2012

Anatomy of a Breach: Zappos — 24 Million Accounts and a Masterclass in Breach Response

Breach #037. In January 2012, online retailer Zappos disclosed that attackers had gained access to its internal network and compromised the personal information of approximately 24 million customer accounts — names, email addresses, billing and shipping addresses, phone numbers, the last four digits of credit cards, and cryptographically hashed passwords. While the breach was significant in scale, Zappos' response — immediate forced password resets, transparent communication, and the fact that passwords were properly hashed using bcrypt — became a benchmark for how to handle a breach well.

data-breach zappos
12 min read
All Posts Get in Touch