eBay hack: how you can stay safe online

Hackers have stolen the personal details of 145m customers from eBay, including names, email and postal addresses, phone numbers and dates of birth. How worried should you be, what can they do with this data and what steps can you take to limit the damage?

Encrypted passwords were also snatched, so the company is taking the precaution of telling users to choose new ones, even though it’s unlikely they can be deciphered on a wide scale. No financial data has been lost, eBay claims, so any credit card information stored with PayPal is also safe.

The main threat is that the data will be used to commit identity theft and as a handy database for spammers. With those personal details hackers will be able to craft convincing messages which appear to come from eBay, your bank or any other reputable organisation - many people will be fooled into handing over yet more data that exposes them further.

Imagine a nefarious character who spots someone complaining on Facebook about being unable to log-in to online banking. They look up their name in the list of stolen eBay records and find a match; they now have an address, date of birth and phone number which can lend a sense of authenticity to a faked email from the bank requesting account numbers and sort codes in order to resolve the problem. Once this is handed over, the hacker is one step closer to stealing the victim’s money.

Or, in a less targeted attack, they could send 145m people an email purporting to be from a certain bank and requesting that they follow a link and reset their password - the link will point to a fake version of the bank’s website which is there to harvest data. This scattergun approach needs only a tiny percentage of people to comply in order to prove hugely lucrative.

This spam email could also be used to get people to click on links or download files which infect their computers with malware. This could be used for a range of reasons: to send yet more spam email, to mine Bitcoins or even to spy on people through their webcam.

Of course, not everyone will fall for these tricks, but they don’t need to - with 145m records there will be enough who do. Someone will be making a fortune with this data. The stolen details will likely be treated like a commodity, sold and resold on underground websites and used to con money out of vulnerable people by various groups for years to come.

We’ve already seen criminals trying to con each other; several different samples of data purporting to be from the eBay leak have been published online, acting as proof of possession in a form of underground advert which demands money for the full file. We’ve been told by security researchers that this data is old information from previous hacks, crafted to look new. One of these adverts requests payment in Bitcoin - we have investigated and verified that nobody has yet fallen for the trick.

In truth, there is little that can be done about this loss of personal details - the cat cannot be put back in the bag. It is worth checking your credit rating with services like Experian, as an unexpected change in credit rating could be a warning sign that you've become a victim of identity theft.

Changing your eBay password is a vital step which should be taken quickly. You should also change any other website passwords where you've used the same phrase, as hackers will often try the same email and password at other sites knowing that many struggle to remember multiple passwords.

But what should your new password be? The more simple it is, the easier it is to crack.

Often an attacker will use a “brute force” approach, which uses a computer to rapidly try every possible combination of characters until it finds the correct one. Obviously, the shorter a password is, the less time it will take to break. But a long password is both hard to type in and to remember, so a sensible balance must be struck.

Brute force attack software will often use dictionary files that contain regularly used combinations of letters or numbers, inputting them one-by-one until the correct one is found. Some are clever enough to also try common words typed both forwards and backwards, and abbreviations.

So it is advisable to be as random as possible and perhaps use intentionally misspelled or fictitious words. Certainly, choosing names, birth dates or places is not the best way to protect your account.

Microsoft recommends that passwords are at least eight characters long, while many websites will demand that it is made up of both numbers and letters, often both uppercase and lowercase. As much complexity as you can practically live with is advised. Some sites will allow the use of symbols such as %, &, * and #.

It is also advisable to change your passwords regularly, so that if any are exposed, the attacker will only have a limited opportunity to use your account.

One thing worth considering is using a password manager such as LastPass. These products will keep all of your passwords in one place, protected by a master password. They will automatically generate long, secure passwords for you, and prompt you to regularly change them.

If you change your eBay password and have not used the same password for other services, then you should be safe.