"eBay has reset everyone's passwords as a precaution"
I just logged in with my original password and it didn't ask me to change it.
eBay has told people to change their passwords for the online tat bazaar after its customer database was compromised. Names, dates of birth, phone numbers, physical addresses, email addresses, and "encrypted" passwords, were copied from servers by attackers, we're told. Credit card numbers and other financial records were not …
" Also, the claim that eBay has notified users is false as well."
No it's not, because *I* was notified.
So it just seems they haven't notified ALL users.
However, it wasn't well communicated. I received a missive informing me that MY account had been hacked. Rather than fessing up and saying WE have been hacked.
So...where's the class action suit for failure of data protection...?
I jumped the gun in the edit - eBay actually said: "eBay users will be notified via email, site communications and other marketing channels to change their password."
So you'll have to do it yourself. If you spot something wrong in an article, drop us a line to corrections@thereg so we can fix stuff straight away.
C.
You may disapprove, downvoter, but the fact remains that the attempt to link my ebay and paypal accounts so I could pay for stuff without the inconvenience of logging into paypal occurred on the 13th. That is right in the middle of the time between discovering the hack and disclosing it. Also refusing locked my account somehow and I couldn't buy useless shit for two days after the refusal.
I am somewhat concerned that my personal information is now released into the wild by sloppy security. Can we sue ebay when someone assumes my identity (yes, half a joke because that's not the UK way - but it is a serious issue which Ebay seem to have minimised.
And, yes, I logged into the.com site and it did not ask me to change my password.
Lucky for me I rarely use my real date of birth for any online site. (Often not even my real physical address, just one I can collect deliveries from).
Sure, it makes things much more interesting when asked security questions and also breaks the site terms, but it also makes my information much harder to steal.
Although, my actual credit score is terrible because of this practice (& that I spend beyond my means).
I always thought there was some sort of data protection law in force. Wonder what the penalties are.
eg Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm
Probably never been ratified because it's 'foreign'.
Yes, that would be my only concern. Not sure if I have an account with them. If I do it is more than 10 years old and I haven't used it since I created it. Not sure I'd recall what the password is if I tried. Pretty sure it was attached to an ISP email account that I couldn't get a password reset on because of merger magic. So at least as far as I'm concerned the only thing there they could steal is my identity.
Here we go again. Shoddy security and poorly trained staff coupled with plaintext details stored on an (apparently) easy to access back end.....
Companies like this should have the arse fined off them to demonstrate that its not acceptable in this day and age...
At least in my case they have no genuine details but that is only by good sense on my part.
Still, no emails asking me to change my false details for more false ones and no word on the level of encryption used. These days, your personal details are worth more than financial ones...
"Yes, they do, to the registered address on my PAYPAL account!!!!!
Not to the false one listed on my ebay account!!!!!"
Do you realise that Paypal and Ebay are the same company? If Paypal have your address, then so do Ebay.
Nice use of exclamation marks - you seriously wanted to exclaim that post.
Do you realise that the details are stored on totally seperated systems and Paypal have publicly stated that none of the details on THEIR servers have been affected?!?
Nice display of utter ignorance there. No wonder you decided to post anonomously...
"Do you realise that the details are stored on totally seperated systems and Paypal have publicly stated that none of the details on THEIR servers have been affected?!?"
\right, so you are a psychic who predicted it would be ebay that would be hacked and not paypal. You hadn't mentioned your special abilities before, impressive.
Good god, the thickness is strong in a lot of folks today.
This is my fake ebay address.
01 DO NOT USE THIS
ADDRESS.
USE THE PAYPAL ONE
DN11 3RT
Anyone whom thinks that that is a real address is about as much as a numbnuts as the commen(re)tards who downvoted my post without first actually thinking about it.
Also sounds like they don't know the difference between hashing and encrypting - most sites hash passwords (with a salt), so they cannot be "unencrypted". I would assume, if they are storing the important personal information in plain text, that they aren't encrypting the passwords, but simply hashing them - if the rest of the fiasco is anythong to go by, probably MD5 with no salt. :-P
This post has been deleted by its author
And for your next challenge, try finding the 'Change Password' link on PayPal's site.
I ended up using the help system in the end, only to find that their help system was offline.
(it's in My Account > Profile > My Details).
Also, why do both PayPal and eBay have a 20 character limit on passwords?
I just found this with ebay's password reset functionality. Ridiculous. To make it worse the form requires JS to work (great design there), so can't disable it to allow the pasting.
In the end I had to use firebug to edit the input's value to paste in my actually secure password rather than just using my cat's name. It's like they want people to use rubbish passwords!
Damn well hope my password wasn't encrypted, and was actually hashed.
It would have been more useful if they had said whether the passwords were salted or not. If my salted hashed password has been released, I'm totally "meh" about it, where as if my unsalted encrypted password has been released then I'm much more angry.
Doesn't matter if they got the salt too, the idea of a salt is that each password is hashed diferently, so they can't just store a dictionary of hashed strings which they can compare against. They'd need a dictionary per possible salt value. That is unwieldly and slows down any attack, which is general is the best you can ever hope for.
Standard salting isn't enough if you have billions logins. The standard salt on many of systems is only 8 characters and only contains about 48 bits of entropy. That is about 300 trillion unique salt values so there should only be about a 1 in 300,000 chance that your eBay password shared the same salt as another user however that assumes the random salt generator works properly and what I've seen in the real world is a few thousand people will be sharing the same salt. eBay must release details of how those passwords were stored. They also need to identify any large groups of users with shared salts since they will be the 1st targets.
Don't confuse an implementation of salt with the definition of a salt. Salt is simply a technique. If can be 2 bytes but it can just as easily be 256 randomly generated bytes (or any number). It doesn't even have to be appended to the end. You know the size of the hash output so you can interleave the salt and resulting hash in the one field if you want. That approach means that your authentication server can easily get all the information it needs and you can not tell from the table what is hash and what is salt.
>> It would have been more useful if they had said whether the passwords were salted or
>> not. If my salted hashed password has been released, I'm totally "meh" about it,
>> where as if my unsalted encrypted password has been released then I'm much more angry.
You're wrong, then. Let's assume (and it may be a rather large assumption) that ebay are not complete fucking maroons, and are not only salting your password, but salting your password with a unique-to-you, or better, unique-every-time-you-change-your-password salt. Now, as the bad guys have your salted password hash, they can't do anything with it, right? Wrong. Of course they can. If they've managed to extract your salted, hashed password from ebay's database, we can also assume they bothered to extract the salts at the same time, and they know the salting & hashing algorithm that ebay use. Because they aren't fucking mongs either; indeed, we should assume they are somewhat smarter than you or I. So, if your account particularly takes their interest, they are perfectly capable of building a rainbow table for reversing your password hash to its original plaintext version of "ebay.com". If it's salted uniquely per password, they can't then use the rainbow table to reduce the time taken to do an *en masse* reverse; they effectively need to brute force every password. And even that is less of an issue should they happen to have a botnet at their disposal; all they need to do is distribute hash/salt pairs out, and have their bots do the crunching via brute force rather than rainbow tables. That's how I'd do it, anyway.
We can probably assume that ebay have fallen into the common trap of using lower-complexity hashing algorithms, on the grounds that 500ms is too long to wait to log in, and the combined compute load of their users logging in would be too expensive should they use something "heavweight". Which is fair enough, but it makes brute-forcing feasible, time-wise. And even if they are using something "hard", all the brute forcer needs to do is give up after a certain amount of time, or put harder hashes "back onto the queue" for later attention, focussing on getting the lower hanging fruit first.
Whichever way you look at it, if they want into your account, you're proper fucked whatever happens.
"The digital break-in of staff accounts was detected about two weeks ago" ... "no evidence of the compromise resulting in unauthorized activity"
Really? My sister notified them on 22nd April about an eBay phishing email she received which contained her very personal contact details as provided to eBay. The phishing email was asking to fill in a form with all credit card details.
The personal details provided made it look very credible I have to say.
That when Sony told everyone that payment details weren't taken, the press conveniently, "forgot" to include that rather important nugget. EBay have the luxury of having it in bold.
It also seems odd that whilst Sony got a tonne of bad press for dragging their heels for a week whilst doing forensic analysis on the hack and gaining solid information, that was totally unacceptable, yet eBay sitting on this knowledge since Feburary is somehow perfectly fine.
Funny old world....
darn it. It gets tedious inventing new passwords, there are so many sites that I log into, I need an A4 notepad to store all my passwords - and then I have to encrypt that in some way so that no one can somehow use it if they find my list of site names and passwords........ Wish I had an eidetic memory :-(
Or come up with a master password and a rule to derive extra bits based on the domain name. For instance, "ABCD123" & characters 5-8 of domain name & "45EFGH" & number of characters in domain name + 2 & "IJK678". Different password for each site, easy to remember, can be done with your brain so no software required (which you might not always have), and tough to reverse engineer. I also advise basing the master password on the initials of a memorable sentence, which makes it trivially easy to remember a good long password with no dictionary words or obvious patterns in it. Takes a bit of concentration for the first couple of days, then just comes easily.
For example, using the sentence "The 2014 version of Godzilla is way better than that pitiful Roland Emmerich shite" gives "T2014voGiwbttpREs". Add the above rules for this site, and you could get "T2014vegisoGiwbt13tpREs". Same system for Amazon.co.uk would give "T2014voncooGiwbt8tpREs".
Why do companies like @eBay or @Target NOT encrypt sensitive personal data? Let me hear one single good reason.
How about because for things like addresses they need to be able to decrypt it, which means they need to store the password, and that can be stolen like any other piece of data. Encryption is only useful if you don't keep the key anywhere near the data, which is tricky if you need to be able to retrieve the data automatically, as distinct from asking a real person to type in their key.
So, if there was no evidence of fraudulent account activity, how did they know they'd been hacked?
This is actually quite an interesting incident and any comment must involve a certain amount of reading between lines. The truth is undoubtedly out there but getting to it may present a challenge. But a bit of speculation seems in order...
So then - if the intrusion happened a couple of months back and it was only detected weeks ago, we have two possibilities - either eBay are truly incompetent to the point of recklessness, or this was a fairly stealthy attack by someone who was actually rather good at this sort of thing. If the latter is true, then my best guess would be some sort of spear-phishing directed at system admin type folks. A bit of homework scanning through LinkedIn would probably produce enough information to send a plausible email containing some sort of zero day attack either as an attachment (old hat) or a link back to a compromised site. Job done, start extracting information and loading up the root kits or whatever.
No conventional security tools are likely to detect this if done well.
At this point, my sympathies are with eBay. Briefly.
However, whatever protection they had over encrypted/hashed passwords was obviously woefully inadequate, assuming of course that passwords were compromised rather than 'might have been' compromised.
Which leads to epic fail on communications. Keeping your mouth shut for a couple of weeks is understandable - get the forensics folks in and crawling all over your logs etc and understand the extent of the problem before you go public is perfectly reasonable.
But - that period should give you enough breathing space to produce a coherent and sensible communications strategy. One that does not consist of vague advice to change your password. Why the hell couldnt some one have written a script to enforce password change at next logon? Not rocket science.
Bad security controls and poor incident management. A classic example of a major organisation not taking information security seriously.
Any chance there could be some *penalties* for companies being too cheap to keep things secure.
OK, stuff happens, crims will always try and get in. But if they want our information (and they claim they do) they should be legally culpable.
Perhaps the cost of IT security teams would go up...?
P.
"It seems to me that this is a data breach and eBay has a registered office in South West London. Can the ICO take action if we make a complaint?"
BWAH HA HA HA HA HA HA
<font size=plus infinity>BWAH HA HA HA HA HA HA</font>
You owe me some new sides to replace the ones I have just split.
.. sorry. You may have missed the Troll Icon. Have beer instead.
They informed me at seven o'clock this morning...
"Voici les informations dont nous disposons : cette attaque s'est produite entre la fin février et le début mars, et s'est traduite par un accès non autorisé à une base de données des utilisateurs eBay contenant les pseudos, mots de passe cryptés, adresses e-mail, adresses postales, numéros de téléphone et dates de naissance de nos membres." - they stop short of pointing out the seriousness of what this actually means. As my mobile number is unlisted, if I suddenly find myself drowning in spam texts, I fully trust that eBay will meet all costs incurred in changing my number; not to mention sorting out the cancellation of any services that other people might sign me up to on the basis of this information (there is enough there to get a person subscribed to SMS services that are charged €€€ per text sent). Thankfully I think the French banking system is too tightly regulated for loans to be granted based purely upon this, though other countries may be somewhat less careful.
I guess the main question now is not so much what went wrong at eBay, but more - what happens now with regards this information.
I just logged into my eBay account - instead of taking me to the main landing page, it took me to a screen with the words, "Message from eBay"....and no message. Underneath that was a button labeled "Continue to your Destination"
A blank message seems somehow to epitomize eBay's overall approach to security and communication, i.e., non-existent.
Just logged on to me Ebay account to change my password in response to their advice. This is the response I got 5 times in a row:
"Page not available
Ebay is asking its users to reset their passwords due to the unauthorized access to our corporate information network. This may result in a delay of service due to the high traffic volume. We ask for your patience and that you return to eBay soon. In the meantime, please be assured that no activity can occur on your account until your password is reset.
You may also visit Customer Service"
So we are advised to change our passwords ASAP because Ebay takes our security "seriously"? "Seriously!"
I started out using the net @ uni for a comp-sci degree in the early 90's. It held so much promise. Around the mid to late 90's it started to become over-commercialised, but it still had promise. However, now it just isn't fun anymore: The 'Target' hack, Heartbleed, the Adobe cloud fiasco, E-Snowden & NSA privacy revelations, Google ads on everything goal, and now this latest eBay / Paypal meltdown....
I used to be the go-to guy for family friends for tech matters, but I can't be anymore. How can I assure them of anything when even the CEO of Symantec-Norton admits that their own AV / Malware / Phishing products are a sham! I can't even offer advice regarding financial hacking or data privacy, or government spying, because the attack vectors are firmly beyond me now...
I have a home based business. I used to diligently roll out updates and patches and even made assumptions that made me sleep better at night. But who has the time anymore?! I now leave most of my office machines permanently unplugged and off-the-net (and use a USB sparingly by air only when necessary). For the machines that are still 'live', I dedicate one to design, another to financial / accounting, and anther to (risky) browsing, and isolate all onto different networks...
All the while I'm thinking this isn't f*cking progress! In addition I no longer have an active financial presence online, because I don't feel the banks / retailers etc, are doing enough to protect consumers, much to the chagrin of many pollyannic customer service mugs.
But I used to love the internet and I lament the fact there's so many sheeple using it, thereby fuelling the rise in hacks and scams... I cannot help but ask, why have an eBay / Paypal account when you're just a mark to a hacker with ultra-fast broadband in a small town in Romania you've never heard of?... Same goes for Google+, FB, Yahoo and MS mail...
And when the net isn't about scamming, account hacking, data breaches and hype, its saturated by the latest celebrity vampire leveraging it for all its worth... Driven on by a fickle global-media praying at the altar of the new shinny Twitter, Facebook, Google: 'God'...
So am I the only one retrenching from the net?
A major site hack or vulnerability or whatever comes out every other week, prompting me to change my password(s). The new one(s) should (once again) be unique to the site, not tied to any personal data, etc., etc...
Go to hell. Seriously, just go to hell; I'm not a goddamn hash table that can store an infinite number of passwords for an infinite number of sites and change any or all of them at a moment's notice. My memory is rather limited in this aspect.
Use a password manager, you say? I access these sites from a variety of devices and don't want my passwords to be present (encrypted or not) on all of them. Instead, I use SuperGenPass, but since that uses my master password and the site name to generate the actual pass, I can't change the site password without changing my master password, and thus we're back to square one.
I'm just so sick and tired of the whole thing by now, goddammit...
Sounds like it was the meat they employed to blame for this one, compromised accounts. Aren't they regulated as a bank these days? Or does that just apply to their Paypal racket?
I might switch to LastPass. Keep complex passwords all in a centralised web-based service... What could go wrong!
Also what happened to loading a public/private key pair into your browser and authing that way? All your details encrypted with your private key but stored on whoever's servers. Sounds a bit better than the current shambles to me. I remember it was all the rage with HSBC business banking 15 years ago or so, albeit with a hilariously complicated implementation.
Don't forget, the retards are eBay do not just keep your current password in the db, they keep all your previous passwords too ... as anyone who has been faced with their "you can't use that password, beacause you have used it before" idiocy will know ... so potentially they have not just revealed your current password .. but your whole keyring.
Apologies for the rant, it's an almost direct c/p of my arsebook post on the subject, but the question at the end is likely to be answered relevently by folks here. (I notice Robin Szemeti above has noticed this too.)
Begin paste:
Several points against ebay here. Their backend database got 'hacked' [read: we left the keys on the hall table]. This much is public knowledge.
So I go to change my password as recommended. Nope. No such user, followed by several variants of 'this page is experiencing extreme load' and 'this page not found' and 'no such email in database'
So I go to chat to customer disservices using their live chat. Unavailable, despite being in working hours, california time.
SO I get pissed, and send them a web form based Shit-O-Gram telling them to bloody well fix their ebay password change page NOW as they've just bloody asked everyone to use it.
I immediately get an email response with some utterly unrelated drivel that was barely literate, referring to paypal password problems. So naturally I replied to it with a "read your goddamned missives rather than sending algorithm matched shite". Only to get a bounce message saying 'this email account is not monitored'. So don't fscking HAVE IT then, what the hell is the point of an email address that doesn't work?
Eventually after much use of F5 and other F words, I get to the 'reset your password' link, and try to reset it. Only to get an offer to send me a PIN. By Text. To A FSCKING LANDLINE NUMBER. *HEADDESK*
I chose the more sensible option: Email me a reset link. Here they scored a minor plus: The reset email, which arrived almost instantly and was in my set 'plain text' format, told me to c/p the link to the address bar, encouraging me NOT to click links in email. Good advice. Credit where it's due.
However, the system then accepted my new password, but would not allow me to sign in with it.
So I hit reset AGAIN. And here begins the section with the query, I'd be pleased to hear you commentards' input on this: It then refused to let me use that same new password again, as I'd previously used it.
This to me says there's a problem: One of the following.
1. They're storing unencrypted passwords (not likely for such a large company, that's a rookie mistake),
2. They're storing encrypted passwords, not the hashes, bad practice.
3. They're storing unsalted hashes.
4. They're salting the hashes with the SAME salt, thus rendering it useless.
The questions are 2fold. 1, is my analysis above basically correct (I would LOVE some input on my understanding of hashing algorithms), and 2, am I right that this is a major security flaw?
I won't even go into the rant about 'your password must contain 2 lowercase, 2 numbers, 2 symbols, 2 uppercase, the blood of a virgin, 2 bits of first kingdom hieroglyphics BUT NO SPACES' crap.
If you're a big webby company, scale up your password reset system just as you scale the rest of the site. Don't host it on a 486 in the basement, because when things like this happen...
On the question of salt, they could store each old hash with its own salt and checking the new password by hashing it with each salt in turn and seeing if it matches. That would be more work, but no less secure than individually salted hashes. The password database would be larger, but the old hashes would be purely for elimination - compromising one would only reveal a deactivated password.
It's a rather curious approach though - what's the threat model from re-using old passwords? (I note Google prevents that too). It would only make sense in an enforced changing regime (when it prevents swapping between 'passwordA' and 'passwordB' every month - but can't detect 'password201405')
My guess (based on how most half-sane people would do it) would be that they're salting each user's password with a unique-per-user salt, so when you enter your new password it's merged with "your" salt, hashed, and the hash then compared against your previous password hashes to detect "naughty" password reuse.
This approach would keep 99% of the usefulness of the salt (i.e. you can't generate a rainbow table and mass-reverse everybody's hashes), and any additional weakness this introduces is rather overshadowed by their insane password policy anyway.
Ebay's password policy, in which password space is bounded to 6 <= length <= 20 characters, passwords must contain 2 of [lower-case, upper-case, punctuation-symbols], with no single dictionary words allowed (amongst other things), whilst removing the possibility of passwords like "apple", reduce the search space for brute-forcing algorithms significantly (with the main culprits being the low minimum length requirement and the bounding of password length to 20 characters)
@martin73,
Its quite easy to verify if you've used the password previously, without storing anything sensitive or reversible. All it has to do is attempt to call the login function with your new password against your old stored salt and hash details. If any one of then return true, then its been used before. Simples.
BTW, why does theReg not believe in https anywhere on their register or login pages.. shameful !
Changed password yesterday evening without a hitch. Maybe their system noticed that my password was a statement on their level of incompetence? [*]
* - don't worry, it'll be something else in two moons, I trust eBay marginally more than I trust PayPal; and I don't trust PayPal at all.
That said, aren't those two practically partner companies? If eBay has been compromised, how do we know PayPal hasn't been?
...been recaptured, stuck in the next door cell in the sables, and the door roped closed without even so much as a new Abloy padlock...
...I pre-emptively changed my password. No email to tell me to, of course. Heard about it on the radio, of all things. Oh, and YE FESTERING AND SUFFERING GODS they took HOW FRAKKING LONG to tell us about this TARFU?!
And to those who bemoan their fiends - I mean friends - and mutants - I mean relations - not having a ruddy clue what to use for a password, tell 'em to get their passwords from here... http://strongpasswordgenerator.com/. Seems to have worked with those who hitherto didn't know what I meant, and couldn't understand how I explained it - thus, there is no longer any excuse NOT to know how to generate a strong password.
Remembering it afterwards, of course, is another matter altogether...!
but of course they won't. You can bet that someone let slip and they were not even going to bother alerting their customers to this failing in their security! That's why they spent two weeks sitting on this information.
In fact, let's reword that, at least one person's head will roll, the employee that let the cat out of the bag when they were going to just pretend it had never happened!
To say only "changing passwords is a best practice and will help enhance security" is like giving us nails without giving us a hammer. What can we do when we cannot remember any more text passwords, we cannot reuse the same passwords over many accounts and we cannot carry around a memo with passwords on it? And, where 2 factor solutions involves a password, where biometrics involve a password for self-rescue in case of false rejection and where ID federations (single-sign-on services and password management tools) require the password called a master-password?
Paypal? Regulated like a bank? HAHAHAHAHA. Wishful thinking.
Yes, I'm serious. Paypal themselves very openly abuse the very fact that they "aren't a bank" and thus cannot be regulated as one within the vast majority of countries they operate in.
It is interesting however because when it comes to matters which strictly benefit Paypal (i.e. them requesting for copies of your national ID) they suddenly behave all "oh we must have this information as we're a "financial institution"". But the very moment your Paypal account is frozen for whatever arbitrary reason deemed fit by Paypal then the tone swiftly swings to "we are not a bank and thus the only legal document which matters is *our* TOS and fuck all".
Yeah. Fuck you too Paypal.
"passwords must contain 2 of [lower-case, upper-case, punctuation-symbols]"
This might have been relevant last century when it was humans were trying to guess passwords, but do they honestly think it makes a blind bit of difference to a botnet what format the bloody password is?
Plus you are more lightly to store these passwords somewhere insecure because you can't remember all the bloody things.
Better approach, but unfortunately stupid above type policies don't allow it:
http://xkcd.com/936/
I think they should be liable for the lack of security and the fact that someone now has our personal details and could attempt to use this to steal our ID etc.
I think that Ebay should offer compensation to all 145 million customers but that will not happen and so I think everyone should close there accounts as this company does not deserve to trade if it is so lax.
I don't want "compensation".
One derisory little token payment and then the matter is considered closed?
No.
I expect nothing less than for eBay, for a period no less than the validity of the data, to resolve - at their expense - any abnormality that may have arisen as a result of the leak of this information (directly into the hands of criminals, I should add - this information was taken with a purpose in mind).
Of course, the onus is upon eBay to have to prove that they are not culpable, per instance, not the other way around.
That is what we require. Not "compensation".
I have not received any notification - no messages in my Ebay Inbox, no notices displayed after first logging in.
Having read about the problem on another web site (Hexus.net), I went in to change my password.
It wasn't until I started the process (i.e. selected edit password), that the page displayed a message advising me to change my password and asking me to enter my email address, so that I could continue with the process.
Well that is truly a cart-before-the-horse way of informing users! Wait until they are doing the activity they need to do before informing them of the need to carry on.
Not impressed
Dear valued eBay customer,
As you may have seen in the news, we have experienced a a minor security breach in which none of your credit card or other financial data were stolen. However, eBay recommends that you reset your password by clicking on this link and entering your social security number, PIN and bank card details to validate yourself:
eBay password reset
Yours in God,
Ologugu Ungobungo
Vice President Customer Services
Use an n-tier architecture:
web server -> application server -> database server
I suspect this breach came about because their web servers have direct access to the database, and someone used this to access them. This is bad design practice for this reason. The only server facing the web should be the web server. This should talk to the application server, which does request validation, business rules, etc. and which is not visible from the web. This server then talks to the database. If big companies like eBay can't get this right, then they're not employing the right people.
I griped about the eBay security farce on Twitter and got this rapid response.
Hopefully, they'll forgive me if I don't believe them.
***
AskeBay: There is no evidence of any unauthorized access to personal or financial info, as it's stored separately in encrypted formats ^E 11:47am, May 22 from Attensity Respond 6