eBay buries its own advisory to change passwords following database hack
Seven hours on, users still not warned that hackers obtained their personal data.
eBay officials are taking flak for burying news of the password reset issued in response to a hack on the company's corporate network that exposed sensitive data for millions of users.
More than seven hours after eBay published an advisory that was five clicks removed from end users, the company still made no mention of the breach, said to affect 145 million customers, in e-mails, on its front page, or when users log in to their accounts. The bare-bones post disclosed a breach in February or March that allowed attackers to make off with cryptographically protected passwords. It advised users to change their login credentials. The breach also exposed customers' names, e-mail addresses, home addresses, phone numbers, and dates of birth in a human readable format.
Given the magnitude of the breach, it's surprising to see an Internet-based company like eBay take so long to directly notify customers and inform them of what steps they should take to protect themselves. The burying of such an important advisory didn't escape the scrutiny of security bloggers such as Graham Cluley or Paul Roberts. Asked to comment on the lack of disclosure, an eBay spokeswoman wrote: "An updated password reset process is currently being rolled out to all our users. It will be available shortly."
eBay users should be wary of anyone contacting them claiming to be eBay or any other company. They should also anticipate an increase in phishing e-mails. That means they should avoid clicking links in e-mails or discussing anything sensitive over the phone. People who use their eBay password on other sites or services should immediately change it.
MTC - I can say that, yesterday, when I went into my account to change my password I was surprised that there was NO notice on the eBay home page about this, nor anywhere else that I could see. I did not have the problems discussed below:
It is good to change passwords around every 30 to 45 days. It is also good to change your smoke alarm batteries out every 6 months. Just keep in mind that your security is up to you and only you on the internet. Now EBAY accounts that got hacked into are the companies fault. They need to warn people ahead of time and keep changing your passwords around like clock work. There is no telling how many accounts got hacked in EBAY. They will find out later on. But now they are not sure at all
It's not the fact the E bay’s system was comprised, but the reaction time was a little slow. Recently a lot of large companies have had mild to severe data breaches, all you can do after that is minimize your loss and reevaluate your system's security and implement tighter controls. I am at a loss as to why a company who issued warnings took so long to due so. I get the concept of how embarrassing and damaging this data breach was to e bay, nobody wants to admit they dropped the ball. But the damage was already done why make it worse, lick your wounds later and let your users know immediately. To me that's the right thing to do know make what the cost is. Bay needs to Man-up and explain to there users what happened and all the other factors involved in this. This will be a good start to restoring trust, will it
ReplyDelete