Cyber Incident Victim: eBay Inc.
Date:
Feb 2014
Location:
United Kingdom
Summary
Pro-Syrian hackers intercepted sensitive communications of the company's security personnel during their response to a website breach, potentially compromising email accounts or laptops used by incident responders. The attackers gained unauthorized access to internal discussions and conference call details, enabling eavesdropping on efforts to mitigate the attack. This incident mirrored a similar spear-phishing compromise at another major tech firm, highlighting systemic vulnerabilities in corporate security practices. The breach exposed weaknesses in safeguarding incident response channels, as attackers exploited suspected phishing tactics to infiltrate trusted communication methods during critical security operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 4 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early February 2014, eBay’s incident response team faced a security breach while investigating a separate attack targeting eBay and PayPal websites in the UK. Pro-Syrian hackers intercepted internal communications among eBay security personnel, including an email dated February 1 from Paul Whitted, a senior manager overseeing incident management. Whitted’s message warned colleagues that attackers might have gained remote access to email accounts or laptops used by the response team, potentially compromising conference call details and enabling eavesdropping on their mitigation efforts. The attackers publicly posted evidence of this interception, including a screenshot of Whitted’s email, which security experts assessed as authentic based on its content and context. The breach occurred as responders coordinated efforts to address website defacements and visitor redirections caused by the initial attack. Analysis suggested the compromise likely originated from a phishing campaign targeting eBay employees, possibly exploiting vulnerabilities in Java, Flash, or similar applications to gain access to devices or email credentials.

The incident highlighted systemic vulnerabilities in eBay’s incident response protocols, particularly the reliance on standard corporate communication channels during active attacks. By monitoring these compromised channels, attackers obtained real-time intelligence on containment strategies, undermining the response effort. This breach occurred shortly after a similar spear-phishing attack against Microsoft, where stolen documents included law enforcement inquiry details and potential customer data. Both incidents demonstrated failures in safeguarding sensitive communications at major technology firms, despite their resources and employee training programs. The eBay compromise specifically exposed weaknesses in operational security (OPSEC), as responders inadvertently shared critical response plans through infiltrated email threads. Security professionals emphasized the necessity of out-of-band communication methods during incidents to prevent attackers from accessing mitigation strategies. The breach eroded confidence in eBay’s and peer organizations’ ability to protect sensitive data, given their high-profile status and ethical obligations to secure user information.
