eBay Passwords Stolen: How Hackers Attack

eBay sent out this email to more than 350 million people this week, saying their password database had been stolen by hackers. eBay owns Paypal, so there is a real threat to your pocketbook if you don’t change your password and do it quick.

Here I explain using a simple explain how a hacker could apply a dictionary attack to decrypt some of the passwords that they have stolen from eBay.

ebay-Letter-397x300Passwords in a database are encrypted with a hash and not encrypted using something more secure like a key (It is the key.). So they could be decrypted by applying known hashes and trying a dictionary attack to see if any match.

For example, suppose the hash is something like:

Hash algorithm: Add 1 to each letter’s ASCI code.
Of course the password hash mechanisms are not going to be so simple. But let’s illustrate the point with that.

The ASCI code of letter A is 65, M is 77, and Y is 89. Then if your password is AMY, you encode the password by using this hashing function like this:

A + 1 = 65 + 1 = 66 = B
M + 1 = 77 + 1 = 78 = N
Y + 1 = 89 + 1 = 90 = O

So the hacker has stolen the password BNO and is trying to decrypt it. The hacker starts to attack it with a dictionary attack using all the known hash functions. Including this vary basic one.

They take words from the English language dictionary (eBay is in the USA.) and common names and then apply a hash function against it. So it they take the word “AMY,” apply the hash then get the result “BNO,” they know that the password they have is AMY, because what they have stolen will say “BNO.” They will also try “AMY123” and the user combinations that people might use.

Now they can access your PayPal account, assuming what they stole also contains the userid. Logic would say it does, since there must be something there to indicate who the password belongs too.

To prevent hackers from using stolen credentials for PayPal customers, Paypal and eBay users should set up two-factor authentication. With that, having the userid and password is not enough to log into your account. You can follow the instructions here to set up that.