eBay Password Change Notice Gets Buried

eBay buries its own advisory to change passwords following database hack

Seven hours on, users still not warned that hackers obtained their personal data.

by Dan Goodin - May 21 2014, 5:35pm EDT

• HACKING

67

eBay officials are taking flak for burying news of the password reset issued in response to a hack on the company's corporate network that exposed sensitive data for millions of users.

More than seven hours after eBay published an advisory that was five clicks removed from end users, the company still made no mention of the breach, said to affect 145 million customers, in e-mails, on its front page, or when users log in to their accounts. The bare-bones post disclosed a breach in February or March that allowed attackers to make off with cryptographically protected passwords. It advised users to change their login credentials. The breach also exposed customers' names, e-mail addresses, home addresses, phone numbers, and dates of birth in a human readable format.

Given the magnitude of the breach, it's surprising to see an Internet-based company like eBay take so long to directly notify customers and inform them of what steps they should take to protect themselves. The burying of such an important advisory didn't escape the scrutiny of security bloggers such as Graham Cluley or Paul Roberts. Asked to comment on the lack of disclosure, an eBay spokeswoman wrote: "An updated password reset process is currently being rolled out to all our users. It will be available shortly."

eBay users should be wary of anyone contacting them claiming to be eBay or any other company. They should also anticipate an increase in phishing e-mails. That means they should avoid clicking links in e-mails or discussing anything sensitive over the phone. People who use their eBay password on other sites or services should immediately change it.

FURTHER READING

WHY PASSWORDS HAVE NEVER BEEN WEAKER—AND CRACKERS HAVE NEVER BEEN STRONGER

Thanks to real-world data, the keys to your digital kingdom are under assault.

The lack of timely disclosure comes two weeks after eBay's discovery that "a small number of employee log-in credentials" had been compromised. If eBay wants to restore trust, it should explain why it took so long to directly notify customers that they should change their passwords. It should also provide a more thorough timeline about exactly what it knew and when, and what the process is for making such information known to users. Plus, officials should explain what they meant in their advisory by "encrypted passwords." If that means that passwords were converted to one-way cryptographic hashes, eBay should say how resistant the underlying algorithm is to the types ofpassword cracking techniques that have grown so common that they're now a pastime among script kiddies.

MTC - I can say that, yesterday, when I went into my account to change my password I was surprised that there was NO notice on the eBay home page about this, nor anywhere else that I could see. I did not have the problems discussed below:

PROMOTED COMMENTS

• GannicusSmack-Fu Master, in training

  jump to post
  Fosterocalypse wrote:

  Changing you password is kind of a PITA on their site too. Not very well placed in my opinion.
  
  For those who need help and don't want to wait:
  Log in to ebay and on the top left click your name and on the drop down select account settings, click personal information on menu on the left and it will take you to the screen where you can then click edit to change your password.
  
  Thinking about it since ars reported the story hours ago, i've seen it on three different news sites since and not to have the standard "we were hacked change your password" email is a bit sad. Even if they find out that more data was compromised i'd think it would be better to get the word out to users asap especially since they already made public that there was a breach. Sorry ebay cnn.com isn't a customer but 90% of the people that read this site probably are regulars. Think about your revenue stream.

  
  I've tried to do this, but when I click on the edit password link, I'm re-directed to a "Page Not Available" error message. They explain that the page can't be accessed due to high traffic volume, but "please be assured that no activity can occur on your account until your password is re-set." I guess that means my account is locked until the server is no longer overloaded. Great! I guess I won't be bidding on anything for a while!
  55 posts | registered Jun 19, 2013
• XonArs Scholae Palatinae

  jump to post
  Oh great, I can't copy & paste from a password vault into paypal into their change password form.
  
  But I can into their login page.
  948 posts | registered Nov 24, 2004
• cbfSmack-Fu Master, in training

  jump to post
  Gannicus wrote:

  I've tried to do this, but when I click on the edit password link, I'm re-directed to a "Page Not Available" error message. They explain that the page can't be accessed due to high traffic volume, but "please be assured that no activity can occur on your account until your password is re-set." I guess that means my account is locked until the server is no longer overloaded. Great! I guess I won't be bidding on anything for a while!

  
  Even better -- I got the same "please be assured that no activity can occur on your account until your password is re-set." message and couldn't log in.
  
  But then 20 minutes later -- without changing my password, I could log in!
  
  So comforting..
  34 posts | registered Nov 21, 2012

READER COMMENTS 67