eBay security scare - users asked to change passwords

Simon · May 21, 2014, 14:37:00

Ebay is asking people to change their passwords after a cyberattack compromised a database containing encrypted user information.

Read more:
http://www.bbc.co.uk/news/technology-27503290

Steve · May 21, 2014, 15:16:39

It was awhile ago as well!

Tacitus · May 21, 2014, 15:49:48

Just changed my e-Bay password. Apparently PayPal is not affected although many people might feel inclined to change their PayPal password as well.

J!ll · May 22, 2014, 17:28:29

Did mine too

According to the news they have know about it since February! So we foot the bill if someone goes on a spending spree? $:-\$

Steve · May 22, 2014, 17:36:26

I've changed mine can't remember what to though!

J!ll · May 22, 2014, 17:42:04

I've written mine down! trouble is I just can't cope with different passwords, I find I'm locked out of most things now

zappaDPJ · May 22, 2014, 17:56:21

I've always been wary of eBay. I've heard a number of stories about their security or lack of. If what I'm reading now is correct I'm rather glad I don't have an account with them as it appears they don't encrypt personal data. I've also been told by people who do have an account that they have not implemented a forced password reset. In fact browsing their site there's nothing to suggest there ever was a problem. And how is it that they sat on this for months and then left it for news outlets to first report?

Simon · May 22, 2014, 21:31:49

... presumably hoping they wouldn't.

nowster · May 22, 2014, 22:52:47

My sister had a listing put on her account without her knowledge about two months back.

I believe her chosen password was weak, enabling a dictionary attack to work.

Tacitus · May 23, 2014, 09:39:54

Quote from: J!ll on May 22, 2014, 17:42:04
I've written mine down! trouble is I just can't cope with different passwords, I find I'm locked out of most things now

Use something like 1-Password. https://agilebits.com/onepassword No doubt others can list similar apps.

Tacitus · May 23, 2014, 09:43:54

Quote from: nowster on May 22, 2014, 22:52:47
I believe her chosen password was weak, enabling a dictionary attack to work.

One of the real problems with a great many sites is that although the user may choose a strong password of (say) 16 characters or more, the site will truncate everything beyond the eighth character without anyone knowing about it. Perhaps not a huge problem if your password is truly random and of mixed characters, but it makes it trivial to crack a poor password.

JB · May 23, 2014, 11:15:35

Another problem is Paypal (an Ebay company).

Although they allow you to paste your pasword in when logging on, they do not allow cut and paste when changing or setting up a new password, thus encouraging users to manually type a weak one IMHO. There is a way around this but it is a little complicated for the average punter.

zappaDPJ · May 23, 2014, 13:44:39

I've just received an email asking me to change my password and I don't even have an account, how clever is that!

I also have an imaginary parcel waiting to be picked up from USPS.COM and IDNetters needs to change their PayPal password apparently.

Needless to say the world is about to be flooded with fake password change emails from eBay.

Glenn · May 23, 2014, 14:09:18

It's now on their front page too.

Simon · May 23, 2014, 14:17:23

IDNetters has so many PayPal accounts, I've lost count now. It's just a shame there's nothing in any of them.

zappaDPJ · May 23, 2014, 14:35:57

Quote from: Glenn on May 23, 2014, 14:09:18
It's now on their front page too.

Talk about being economical with the truth...

QuoteThis is because of a cyberattack that compromised our eBay user database, which contained your encrypted password.

http://www.ebay.com/reset?_trkparms=clkid%3D7103293943041030403

No mention at all of the unencrypted data that has been compromised including the customer's name, email address, physical address, phone number and date of birth. Everything you might need in fact to commit identity fraud. If I were a customer I'd probably be hammering on the door of the Information Commissioner's Office right now. Personally I think this falls into the realms of criminal negligence. Probably the worst case of compromised data to date and eBay clearly aren't trying to deal with it in any meaningful way.

[EDIT] In fact it appears other's feel the same as I do...

QuoteThe UK's information commissioner is working with European data authorities with a view to taking action against eBay over its recent data breach.

Three US states are also investigating the theft of names, email addresses and other personal data, which affected up to 145 million eBay customers.

http://www.bbc.co.uk/news/technology-27539799

J!ll · May 23, 2014, 15:38:35

Simon · May 23, 2014, 16:39:16

Great.

I don't know what reasonable steps one can take to protect their identity, as most of the details Zap mentioned above are on all postal items delivered to one's home. I guess, using a false phone number (

) and not my usual email address is one way of at least making ID fraud more difficult.

zappaDPJ · May 23, 2014, 17:45:06

Date of birth is the real killer here and why on earth would eBay require that? That's the one that makes the risk of identity fraud real. The rest will probably just get you on the usual scam lists which many of us are on anyway.

In true British tradition it seems we are about to deal with eBay's ineptitude with more of the same...

QuoteSpeaking on BBC Radio 5 live, the UK's information commissioner said that the eBay breach was "very serious" but that outdated and complex data protection laws meant the ICO could not begin an immediate investigation.

Read more: http://www.nationalheadlines.co.uk/ebay-faces-investigation-over-breach/327765/#ixzz32Ya8SOWw

Luckily I think other countries, particularly the U.S. will have laws in place to make an example out of eBay which might help make other organisations sit up and take notice. Nobody in their right mind should be holding the kind of data that eBay holds in an unencrypted format.

[EDIT] Not really related but the web is currently awash with news that Google's Panda 4.0 roll-out has lost eBay 80% of its organic rankings. Panda 4.0 being part of an on-going initiative to weed out 'thin content' and SEO fakery from search results. This is good news for web users and dismal news for eBay because it mean that search results will now return useful results instead of a load of second hand tat from eBay.

JB · May 24, 2014, 08:07:23

Quote from: zappaDPJ on May 23, 2014, 17:45:06
Date of birth is the real killer here and why on earth would eBay require that?

I imagine that despite their assurances to the contrary, a DOB and address are a marketable commodity?

zappaDPJ · May 24, 2014, 10:51:52

Definitely but that kind of behaviour would be a serious breach of the Data Protection Act.

JB · May 24, 2014, 12:10:00

Quote from: zappaDPJ on May 24, 2014, 10:51:52
Definitely but that kind of behaviour would be a serious breach of the Data Protection Act.

Indeed.

Technical Ben · May 24, 2014, 23:27:35

Quote from: Simon on May 23, 2014, 14:17:23
IDNetters has so many PayPal accounts, I've lost count now. It's just a shame there's nothing in any of them.

No chocolates on order?