Yesterday, eBay.com sent me a warm welcome email, thanking me to have created a new Account with eBay ID oha1231.xyz .
The problem is, I didn't create that account. Furthermore the email address being used for the account registration was one of my aliases, I rarely use.
I immediately submitted an inquiry to eBay Belgium to close this account and contacted my mail provider who advised me to change my account and mailbox password.
A lot of questions started spinning through my head:
Have any of my passwords been leaked?
Why didn't the email from eBay contain a validation link, is it really that simple to assume someone else's identity and start bidding or even purchase online?
Why would someone even want to go through all that trouble? - As I learned later on, my credit card or PayPal account where not compromised.
How did the other party get their hands on the rarely used alias by little ol' me?
Aside causing me financial damage, by for example bidding on a private jet, it still doesn't make a lot of sense how someone else could profit from this without having a way to pay for it on my behalf.
As eBay Belgium is closed on weekends, I didn't want to wait and called the U.S. hotline.
Upon lookup of the username, the agent explained to me that there was a database breach back in May and this abuse was directly linked to it.
eBay customer names, their encrypted passwords, email, registered addresses, phone numbers and date of birth where exposed.
The agent immediately took action to have the impersonating account suspended.
The alias used to register the account was used by me in the past for domain registrations.
Up until now I didn't realize that WHOIS lookups in fact can reveal full personal contact details, if not set private.
Am I relieved now? - No! Case closed for eBay? -Yes.

While I'm sure you all well remember the Heartbleed Bug, which made people change their passwords on all affected sites, my wake up call came earlier when I read the story about the hijacked Twitter Account '@N',  a true story about how malicious steps through 'social engineering' can cause damage to someone's account ownership.

Which lessons, if any, can be learned from this?

A password is only as good as the secured environment it's stored in.
Furthermore, you may want to take comfort in the fact that nothing is private: aside external threats, internal threats such as employees with bad intentions and access to customer sensitive data are equally real.

Going forward with password security, I advise the following:

  • Be prepared to memorize one good, strong password or even better a uncommon pass-sentence. It’s worth the effort.
  • Go to a website that generates truly random passwords (like random.org). Create a list of five or ten candidate passwords.
  • Pick a random password that you can convert into a memorable nonsense phrase. Use the phrase to remember the password
  • Use a Password Manager such as LastPass or Keepass and use these tools to keep track of previously used passwords.
  • Change your passwords regularly. Set calendar reminders to do so.
  • Do not ever use the same password twice.

 

Sources and recommended reading:

https://medium.com/cyber-security/24eb09e026dd

http://arstechnica.com/security/2013/07/how-elite-security-ninjas-choose-and-safeguard-their-passwords/

https://medium.com/@littlebrown/how-to-outguess-passwords-3a72ab8b17f4

http://arstechnica.com/security/2014/01/picking-up-the-pieces-after-the-n-twitter-account-theft/