More eBay security stupidity exposed!

happygeek 1 982 Views

Following on from the news that an eBay password database has been compromised, and universal advice from security experts that users should now change their passwords, one thing has been loud clear: the total lack of that password change requirement from eBay. Sign into eBay and there is nothing to say stop, change your password. There has been no email sent to registered users urging them to make the change. In fact the only I've read of it have come from news stories in which they state that eBay are 'urging users to change their passwords' but truth be told it's a damn funny definition of urging if you ask me.

However, I have finally found the message that asks you change your password and the proof is right here in the screenshot below.

The only problem being that eBay has opted to put that message on the change your password page. That's right, to see it you have to sign into eBay, go into the My eBay section, navigate to the Account tab and then the Personal Information section, and finally scroll down and hit the edit password button.

Yep, the only people who will see the message 'urging' them to change their password are those people who have already made the decision to change their password. Hit the 'learn more' link after the password change request screen and you finally come to a page with "A Message From Devin Wenig" which says:

Recently, our company discovered a cyberattack on our corporate information network. This attack compromised a database containing eBay user passwords. We have no evidence that your financial information was accessed or compromised and your password was encrypted. However, to protect the security and privacy of our customers, we’re asking all eBay users to reset their passwords.

After you’ve changed your password, you will receive a confirmation to your registered eBay email account informing you that your password has been successfully changed.

Your trust is essential to us, and as a valued customer we want you to have confidence in buying and selling on eBay. That’s why we are asking all global customers to change their passwords. I regret any inconvenience or concern that this situation may cause you. We take this situation very seriously, and will continue to work with law enforcement to investigate this intrusion. We are committed to ensuring a safe and secure experience for you on any device.

I can only assume that eBay is going, at some point, to be sending this to all registered users by email; is going to display this message to everyone who goes to the sign in screen; start being a little more proactive about helping users secure their accounts. Otherwise, I have to say, eBay is guilty of some very stupid decisions when it comes to incident response. eBay, you really could, should and must do better - and do so quickly.

Member Avatar for happygeek
happygeek 2,411 Most Valuable Poster

I should add that I appreciate eBay has a huge membership and there is a certain load balancing need required when password changes are being done in such large number. However, given the size of the compnay and the profit which it makes, I would have thought it could have managed to get the necessary resources in place to deal with this event. After all, it has had two weeks (since discovery of compromise) to organise the breach response.

It clearly hasn't, by the way, as the password reset process isn't working. As of now, reset codes by email are delayed up the wazoo (nothing arrived to me at all after requesting one, in any mail folder) although text codes are working. Unfortunately the reset process seems broken, as my new password is being seen as incorrect when I try and log in. I tried to reset again using a new text code, only for the reset screen to freeze and on the third attempt a message about eBay being really very busy with users changing passwords and so the service is temporarily unavailable. Doh!

Member Avatar for happygeek
happygeek 2,411 Most Valuable Poster

Ebay is asking its users to reset their passwords due to the unauthorized access to our corporate information network. This may result in a delay of service due to the high traffic volume. We ask for your patience and that you return to eBay soon.

Member Avatar for blackmiau
blackmiau 0 Junior Poster

The biggest huffhuff I've seen is people posting stuff on Facebook going OMG!!!1! I WONT WANNA LOSE MY ACCOUNT AND YOU NEED TO BE SURE YOU DIDNT GET HACKED!!!!!1!!!!

Yes, I looked into it and decided not to change anything. What's the point if they weren't attacked yet? Then I'd have to change passwords again. Plus, being a bit of a airhead, I never remember mine, which means I usually have to reset them almost on a daily base.

Having said that, I'm off to see what eBay has to tell me.

Member Avatar for gerbil
gerbil 216 Industrious Poster

Finally, eBay are realising the consequences and possible damage to their reputation and bank balance, and risk to clients' digital security....
"It said it would be contacting users to alert them of the issue via email, its website, adverts and social media.
A spokesman added that the firm's engineers were in the process of rolling out a feature that would oblige members to choose new passwords when they next logged in, which should be live in each of the countries eBay operated in by the end of the day." -from BBC.
To Blackmiau, and others, EBay hackers stole password hashes and logins. Right now, they would be running decryption software, or have sold the info to those who will. PCWorld, in an experiment with realworld password hashes and realworld hacker/decryption experts, showed just how efficient the process can be. If decryption is happening, you can be sure that they have cracked many tens of thousands per day. Hence the now-forced password change.
""The database... included eBay customers' name, encrypted password, email address, physical address, phone number and date of birth," it said." -BBC. That is a lot of identifying information. Given that some people use the same password across several sites requiring such, and combine it with their email address to complete a login, the damage is very real, and not just to EBay.
Ok, so credentials of some personnel were stolen, giving the hackers a free ride. But two weeks to come clean and take action? Gee... Makes you wonder if their reputation is more important to them than their customers; I would have thought the linkage was strong..

Edited by gerbil
blackmiau commented: I know, I made sure I was informed :) +2
Member Avatar for happygeek
happygeek 2,411 Most Valuable Poster

The stolen credentials database is apparently up for sale (1.45 Bitcoin if anyone is interested) on the dark market now. I'm investigating if this is the real database or just a chancer cashing in on the news, and a new story will be posted this morning about that...

Member Avatar for happygeek
happygeek 2,411 Most Valuable Poster

More right here on DaniWeb: Is eBay's stolen password database for sale?

Member Avatar for blackmiau
blackmiau 0 Junior Poster

Believe it or not, I couldn't find any message from eBay about this. Not even when changing passwords.

Member Avatar for cunnijo
cunnijo 0 Newbie Poster

I managed to change my ebay password using the Uk site on the day it was annouunced. After that I received an email from them thanking me for it. Like most I got no notification whatsoever from the company just news reports from the media.

Member Avatar for L.D.
L.D. 0 Newbie Poster

I have 4 eBay sites, 3 on .ca, 1 on .com, so far only one, the newest .ca account, has received the message, today. That is why I am here, I googled the first line to make sure it wasn't a spoof.

Turns out that account is mysteriously designated as the primary at Paypal.
I just tried to change it back but they wanted too much personal information. What the?

This breach happened late Feb. and they are just getting around to the notification!
Why am I not surprised?
I use eBay's IT efforts, (or lack there of) as the butt of my jokes when it comes to their frustrating coding.

Makes me wonder if the charge back notice I received last night, from Paypal for a sale on Feb. 26 is related?

Was the buyer's account hacked so they are having their credit card company question all sales in the time frame? Or are they using the event to rip off of the sellers?

I'm in the process of changing my password on my power seller site. Looks easy enough, just click your profile, personal information, then edit next to your encrypted password and they give you 3 options. Email, text, or phone call. Then a notice that it can take up to 5 minutes for the email to reach you.

Got a good laugh after I clicked the email and changed my password.
That is where I saw the notice that they are asking everyone to change them.

I also visited the community board to find I'm in for a boat load of reboots with every password change. Typical.

Member Avatar for blackmiau
blackmiau 0 Junior Poster

Oh look, eBay sent me an email to reset my passwords. Today. At 4am. Seven hours ago. Isn't this nice of them? Worrying about us like this...

Edited by blackmiau
Member Avatar for L.D.
L.D. 0 Newbie Poster

Perhaps the Draconian eBay brass heard the angry hordes?
Now on .CA the password update banner is on every page.

All of my sites where notified. the oldest one at .com was last to get the email, this morning. Too late, I'm squared away.

Member Avatar for cunnijo
cunnijo 0 Newbie Poster

I too got an email from them advising to change my password even though I had changed it when it first broke on the media.

Member Avatar for happygeek
happygeek 2,411 Most Valuable Poster

The response has not been particularly smart in any way. I am still getting prompts to change my password, despite already doing so and having password changed messages in my onsite inbox.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Edit Preview