Is eBay’s Password Reset Message a Smokescreen Covering the Bigger Issue?

eBay - SmokescreenWhat is the biggest concern about the recent eBay data hack?  The fact that hackers have obtained hashes of users’ passwords? Or that they have obtained more than enough information about you to commit identity fraud?

eBay is currently forcing all users to change their password before continuing to use the site. Whilst I’m not pretending that it’s not a good idea for most users to change their password, in my opinion, it’s acting as a smoke screen for bigger deal here.

So exactly is a hashed or encrypted password?

Anyone with any sense, stores a hash of a user’s password, rather than the original password itself. A ‘hashing algorithm’, usually MD5, is applied to convert the user’s password into its hash. The popular password letmein becomes 0d107d09f5bbe40cade3de5c71e9e9b7.

The hashing process is a one-way process; hashed passwords cannot be un-hashed.  To authenticate you, a system will simply hash the password a user enters, and compare those hashes.

So if hashing in this way cannot be reversed, why is eBay forcing users to reset their passwords?  Quite simply, while 0d107d09f5bbe40cade3de5c71e9e9b7 cannot be un-hashed back to letmein, we can remember that 0d107d09f5bbe40cade3de5c71e9e9b7 = letmein, and so any hashed password with a value of 0d107d09f5bbe40cade3de5c71e9e9b7 will translate to letmein, and so on. By hashing common passwords and dictionary words, hackers can work out what your un-hashed password probably was.

If your password is secure in the first place, you stand a much reduced chance of your password having been reverse-engineered to allow it to be looked up in this way.

What is the bigger deal eBay is masking?

Alongside your hashed password, hackers obtained your:

  • real name;
  • physical address;
  • telephone number;
  • date of birth.

This is far more alarming because it now means every eBay user is very vulnerable to identity theft – and it’s not really possible to change our names, addresses and date of birth!

So yes, please do reset your eBay password, but don’t take your guard down. All users now need to be extra vigilant for any strange activity that could arise in the form of identity theft, something which eBay’s formal message to users seems to omit.  Funny that!