eBay security scare - users asked to change passwords

Started by Simon, May 21, 2014, 14:37:00

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Simon

Ebay is asking people to change their passwords after a cyberattack compromised a database containing encrypted user information.

Read more:
http://www.bbc.co.uk/news/technology-27503290
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Steve

Steve
------------
This post reflects my own views, opinions and experience, not those of IDNet.

Tacitus

Just changed my e-Bay password.  Apparently PayPal is not affected although many people might feel inclined to change their PayPal password as well.

J!ll

Did mine too  :P According to the news they have know about it since February! So we foot the bill if someone goes on a spending spree?  :-\

Steve

I've changed mine can't remember what to though! :red:
Steve
------------
This post reflects my own views, opinions and experience, not those of IDNet.

J!ll

I've written mine down! trouble is I just can't cope with different passwords, I find I'm locked out of most things now  :laugh:

zappaDPJ

I've always been wary of eBay. I've heard a number of stories about their security or lack of. If what I'm reading now is correct I'm rather glad I don't have an account with them as it appears they don't encrypt personal data. I've also been told by people who do have an account that they have not implemented a forced password reset. In fact browsing their site there's nothing to suggest there ever was a problem. And how is it that they sat on this for months and then left it for news outlets to first report?
zap
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Simon

Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

nowster

My sister had a listing put on her account without her knowledge about two months back.

I believe her chosen password was weak, enabling a dictionary attack to work.

Tacitus

Quote from: J!ll on May 22, 2014, 17:42:04
I've written mine down! trouble is I just can't cope with different passwords, I find I'm locked out of most things now  :laugh:

Use something like 1-Password.  https://agilebits.com/onepassword    No doubt others can list similar apps.

Tacitus

Quote from: nowster on May 22, 2014, 22:52:47
I believe her chosen password was weak, enabling a dictionary attack to work.

One of the real problems with a great many sites is that although the user may choose a strong password of (say) 16 characters or more, the site will truncate everything beyond the eighth character without anyone knowing about it.  Perhaps not a huge problem if your password is truly random and of mixed characters, but it makes it trivial to crack a poor password.

JB

Another problem is Paypal (an Ebay company).

Although they allow you to paste your pasword in when logging on, they do not allow cut and paste when changing or setting up a new password, thus encouraging users to manually type a weak one IMHO. There is a way around this but it is a little complicated for the average punter.
JB

'Keyboard not detected ~ Press F1 to continue'

zappaDPJ

I've just received an email asking me to change my password and I don't even have an account, how clever is that! ;D I also have an imaginary parcel waiting to be picked up from USPS.COM and IDNetters needs to change their PayPal password apparently.

Needless to say the world is about to be flooded with fake password change emails from eBay.
zap
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Glenn

Glenn
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Simon

IDNetters has so many PayPal accounts, I've lost count now.  It's just a shame there's nothing in any of them.  ::)
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

zappaDPJ

#15
Quote from: Glenn on May 23, 2014, 14:09:18
It's now on their front page too.

Talk about being economical with the truth...

QuoteThis is because of a cyberattack that compromised our eBay user database, which contained your encrypted password.
http://www.ebay.com/reset?_trkparms=clkid%3D7103293943041030403

No mention at all of the unencrypted data that has been compromised including the customer's name, email address, physical address, phone number and date of birth. Everything you might need in fact to commit identity fraud. If I were a customer I'd probably be hammering on the door of the Information Commissioner's Office right now. Personally I think this falls into the realms of criminal negligence. Probably the worst case of compromised data to date and eBay clearly aren't trying to deal with it in any meaningful way.


[EDIT] In fact it appears other's feel the same as I do...

QuoteThe UK's information commissioner is working with European data authorities with a view to taking action against eBay over its recent data breach.

Three US states are also investigating the theft of names, email addresses and other personal data, which affected up to 145 million eBay customers.
http://www.bbc.co.uk/news/technology-27539799
zap
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

J!ll


Simon

Great.  :sigh:

I don't know what reasonable steps one can take to protect their identity, as most of the details Zap mentioned above are on all postal items delivered to one's home.  I guess, using a false phone number (:whistle:) and not my usual email address is one way of at least making ID fraud more difficult.  :dunno:
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

zappaDPJ

#18
Date of birth is the real killer here and why on earth would eBay require that? That's the one that makes the risk of identity fraud real. The rest will probably just get you on the usual scam lists which many of us are on anyway.

In true British tradition it seems we are about to deal with eBay's ineptitude with more of the same...

QuoteSpeaking on BBC Radio 5 live, the UK's information commissioner said that the eBay breach was "very serious" but that outdated and complex data protection laws meant the ICO could not begin an immediate investigation.
Read more: http://www.nationalheadlines.co.uk/ebay-faces-investigation-over-breach/327765/#ixzz32Ya8SOWw

Luckily I think other countries, particularly the U.S. will have laws in place to make an example out of eBay which might help make other organisations sit up and take notice. Nobody in their right mind should be holding the kind of data that eBay holds in an unencrypted format.


[EDIT] Not really related but the web is currently awash with news that Google's Panda 4.0 roll-out has lost eBay 80% of its organic rankings. Panda 4.0 being part of an on-going initiative to weed out 'thin content' and SEO fakery from search results. This is good news for web users and dismal news for eBay because it mean that search results will now return useful results instead of a load of second hand tat from eBay.
zap
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

JB

Quote from: zappaDPJ on May 23, 2014, 17:45:06
Date of birth is the real killer here and why on earth would eBay require that?

I imagine that despite their assurances to the contrary, a DOB and address are a marketable commodity?
JB

'Keyboard not detected ~ Press F1 to continue'

zappaDPJ

Definitely but that kind of behaviour would be a serious breach of the Data Protection Act.
zap
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

JB

Quote from: zappaDPJ on May 24, 2014, 10:51:52
Definitely but that kind of behaviour would be a serious breach of the Data Protection Act.

Indeed.
JB

'Keyboard not detected ~ Press F1 to continue'

Technical Ben

Quote from: Simon on May 23, 2014, 14:17:23
IDNetters has so many PayPal accounts, I've lost count now.  It's just a shame there's nothing in any of them.  ::)
No chocolates on order? :(
I use to have a signature, then it all changed to chip and pin.