eBay makes users change their passwords after hack

[webfact]

eBay makes users change their passwords after hack

(BBC) Online marketplace eBay is forcing users to change their passwords after a cyber-attack compromised its systems.

The US firm said a database had been hacked between late February and early March, and had contained encrypted passwords and other non-financial data.

The company added that it had no evidence of there being unauthorised activity on its members' accounts.

However, it said that changing the passwords was "best practice and will help enhance security for eBay users".

Full story: http://www.bbc.com/news/technology-27503290


-- BBC 2014-05-22

[Tatsujin]

8-10 weeks later they are recommending us to change passwords? Morons.

[BKKdreaming]

I just renewed listings on 5 of my accounts and did not have to change passwords yet,

this was in the last 30 minutes

[falang07]

since all that was stolen were encrypted passwords, it means security was not compromised (unless someone can decrypt those passwords, which is highly improbable)

[tx22cb]

I've had no message from eBay yet.

Or is this like car companies' recalls - US & EU only, nothing for (/not bothered about) Thailand customers?

[Carmine6]

since all that was stolen were encrypted passwords, it means security was not compromised (unless someone can decrypt those passwords, which is highly improbable)

http://www.ebayinc.com/in_the_news/story/ebay-inc-ask-ebay-users-change-passwords

Depends what you mean by security. Name, email address, physical address and date of birth is a lot of info to know about people.

The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth.

[tx22cb]

since all that was stolen were encrypted passwords, it means security was not compromised (unless someone can decrypt those passwords, which is highly improbable)

Actually, the Daily Torygraph reports "Names, email addresses, home address, phone numbers and dates of birth of all users have been stolen by hackers, the company admits".

[webfact]

I have changed PW - can't be wrong to do it

[webfact]

By emailing hacking victims, eBay opens users up to more risk
Jordan Robertson

After hackers stole email addresses and other user data from eBay's network, the company announced it would email users to suggest they change their passwords. That doesn't make a whole lot of sense.

The problem with this approach is that the hours immediately following a breach are prime time for hackers. Cybercriminals are consummate opportunists. They scrutinise the news looking for ways to craft fraudulent and timely messages to trick people into clicking on them.

The millions of eBay users who may have caught wind of the breach after seeing a headline today are more likely to fall for an email scam prompting them to click a link and input their login information. A similar technique was used by Chinese military officers to hack into US companies, showing that in cyber security, people are their own worst enemies.

Instead of emailing the auction site's more than 145 million active buyers worldwide, eBay could have immediately done something that Adobe Systems, LinkedIn and Evernote all did after their recent high-profile hacks: change users' passwords. Automatically resetting accounts is becoming a "common courtesy" after many breaches, says Lysa Myers, a researcher with Slovakian security firm ESET.

Full story: http://www.theage.com.au/it-pro/security-it/by-emailing-hacking-victims-ebay-opens-users-up-to-more-risk-20140522-zrkpc.html


-- The Age 2014-05-22

[BKKdreaming]

ebay first needed to put on the start up page that they had been hacked before telling the press ,

I understand that would have been a very short "secret" but it would have given the ebay customer a little extra time