back to article eBay faces multiple probes into mega-breach

eBay is facing multiple investigations after a security breach that spilled the personal information of 145 million users, along with their passwords, which were encrypted in some as-yet-unknown way. The online tat bazaar is being hit from both sides of the Atlantic today, with state attorneys-general in the US launching a …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Received

    "eBay Password Reset Required" @ 07:16 this morning.

    1. Amorous Cowherder
      Facepalm

      Re: Received

      "Click on the link below!"

      ( which leads to some site http://www.lads_from_lagos.com/get_ebay_user_details.html )!!

  2. Zog_but_not_the_first
    FAIL

    Password Reset Required - Feedback

    How accurate was the item description? Neither inaccurate nor accurate

    How satisfied were you with the seller's communication? Very unsatisfied

    How quickly did the seller dispatch the item? Very slowly

  3. Anonymous Coward
    Anonymous Coward

    Long overdue

    It is very much about time Ebay started to take responsibility for the security of it's users.

  4. Marvin O'Gravel Balloon Face

    Wouldn't it be ironic if the crooksters sold the hooky data on eBay.

    1. MooseMonkey
      Happy

      I'm going to try to list all customer data on the UK site now.

  5. Roland6 Silver badge

    ICO ...data watchdog was considering a probe of the eBay hack

    What?

    I expected the ICO to have already served an assessment notice on eBay's UK head office covering their UK activities for a compulsory audit to assess whether the organisation's processing of personal data follows good practice. Additionally, they probably should also serve an assessment notice on eBay's other UK business operations: PayPal and GSI Commerce ...

    So what if the people and servers etc. are located outside of the UK (http://pages.ebay.co.uk/aboutebay/contact.html ), better to be seen to act and put some politicians noses out of joint than to be seen to dilly dally, wring hands etc..

  6. The Dark Lord

    I love the way the reaction to these data breaches is for the organisation to tell the users to change their passwords. Like that will solve anything at all!

    And, why should I change MY password? It's not MY eBay account that spunked personal information on 145m people all over the internet.

  7. Tom Paris

    Sigh.... it's only a matter of time before the same thing happens to Amazon et al...information wants to be 'free'..between hackers and the NSA...... keeping secrets in the internet age is becoming troublesome...and I'm running out of addresses that I use in my passords, fortunately I've just moved to Llanfairpwllgwyngyllgogerychwyrndrobwyll-llantysiliogogogoch...

    1. Tom 13

      @ Tom Paris

      Nah. Stick with the easy ones:

      Liar!Liar!Pantsonfire!

      Iamafrackingmoron.

      What?Meworry?

      etc.

  8. Anonymous Coward
    Anonymous Coward

    Change your password

    Easier said than done, it seems bozo the clown was in charge of the design of their password change system and you can't paste in a new password, you have to use a simple password because you have to type it in.

    If they can't get that right what else have they got wrong?

    1. John Tserkezis

      Re: Change your password

      "Easier said than done, it seems bozo the clown was in charge of the design of their password change system and you can't paste in a new password...."

      I could. In fact, I generated a new 20-character password with PWGen, and pasted that in.

      I changed mine through the australian leg of eBay, so, they might be "lagging behind" compared to other parts of the world.

      But your comment still stands, I've been in that position with other web sites, and left strongly worded comments about their practice. One replied stating that once a string is in the windows copy buffer, it is not only widely insecure, it's widely available to other software for the asking - actual keystrokes are not open to that. I said once a keylogger is in your system, it won't matter anymore.

      Like you said, if you're dealing with bozo any hair-brained idea they get becomes gospel and no-one is to question it anymore.

  9. Velv
    Pirate

    There but for the grace of God go I...

    The critical thing we in IT need to take from this is to review our own security and procedures.

    There's been several high profile companies caught out in recent months. We're screaming and shouting because we expected better of them.

    But are we sure our own house is in order?

    No, I mean really sure - like go and check Mr CIO, it's your job on the line.

  10. adam 40
    FAIL

    Password Reset Email Received but...

    Ebay have previously advised me to ignore all emails from them that do not mention my eBay ID.

    I did get an email (possibly) from them, but not quoting my eBay ID, so by their own rules I must ignore it, because it's probably spam...... they are a bunch of divvies, honestly....

    1. Anonymous Coward
      Anonymous Coward

      Re: Password Reset Email Received but...

      Check down the bottom of the email in the small print. Mine had by name and Ebay login which is why I didn't just trash it offhand.

  11. Dr Wadd

    I closed my eBay account, and since they own them my Paypal account too, a few months ago due to concerns regarding their attitude to security. I'd made some changes to my account which generated a couple of e-mails to me. Both e-mails contained what eBay claimed was the IP address from which the changes were made, for security purposes. One of the e-mails had my correct IP, the other one that geolocates to somewhere in India.

    I appreciate that this issue could be due to factors outside of eBay's control, but equally it could be an issue with eBay. However, I found it virtually impossible to contact anyone with sufficient information to report this potentiall issue to, and everyone I spoke to was utterly clueless with regard to basic security issues. I was even asked at one point to explain to them what an IP address was.

    The combination of ignorance and brick walls was enough to convince me that eBay don't take customer-side security particularly seriously, and since I'd not used them for years I decided I'd be better off without them. Now I just have to hope that the database that was breached isn't one that contains details of ex-customers, given how shockingly poor eBay have been with regard to contact current customers I highly doubt they would have the initiative to contact ex-customers who may be affected.

  12. Matt 52
    FAIL

    Techno babble bull

    I'm sorry, but who does this spokeswoman think she's fooling

    " Spokeswoman Amanda Miller has said that the website uses “sophisticated, proprietary hashing and salting technology to protect passwords”

    All that means is they combine the fields and add a salt, which is rule #1 in the 101 list of things to do for a user's password

    Unfortunately, rule #2 is "Do not store the password in the same database as the username, but use a unique foreign field to map between two separate tables in two separate databases"

    If only they had got as far as reading rule #2. Incompetent idiots!

  13. Anonymous Coward
    Anonymous Coward

    its head line cos you need to read between the lines

    ICO’s Twitter... that the data watchdog was considering a probe of the eBay hack.

    Graham told Sky News.. his team had previously fined Sony £250,000 for its data breach.

    Never mind the issues faced by actual consumers, fine them - this is how the merry-go-round works

    Its the same in all and anything probed over in the UK, if it has value / incentive to make something of value it will be probed - if not then no headline.

    I mean our safety security first then how about fines

    This is identical to late trains and so on - Fine late trains but as a consumer if it's not an hour late it is still on time..

  14. Miss Config
    Happy

    'online tat bazaar'

    'online tat bazaar' is precisely the kind of thing I come to El Reg for.

    It even negates any whinges about 'boffins'

    ( which I previously only gave a grudging aceptance with the 'irony' card ).

    Up with that sort of thing. ( The phrasing, not the concept. )

  15. Anonymous Coward
    Anonymous Coward

    Nothing yet

    As a seller and buyer on ebay for the past 15 years I am really angry with Ebay for not being more public about this information, as of yesterday was wondering myself and had to search closer to find out that it was Mandatory that you change your password to be able to sell or purchase on EBAY and say in the updates that messages would be going out to all registered user that they must change it, good job ebay how long is this going to take to informer everyone you MUST CHANGE PASSWORD instead of saying you suggest that you change it, does ebay know what this is costing all the small businesses in sales because people are afraid to buy or not sure what to do. When will EBAY take responsibility for this?????????

  16. Zog_but_not_the_first
    FAIL

    And now...

    I have a nag screen telling me to change my password, even though I've done it. eBay seems to know what I've bought, what I've looked at etc., so you might think that they'd notice that I've changed my password and turn off the "nag".

    And what's with the trend for "following" sellers and "liking" things. Trying to turn into another "Stalkbook"?

  17. Anonymous Coward
    Anonymous Coward

    been too busy...

    ... to read news for the last few days and this article is the first that I've learned of the hack. I haven't received any form of communication from eBay letting me know that they have been compromised.

    1. Pookietoo

      Re: been too busy...

      There's now a little "password update" link at the top of the My eBay page which leads to a short blurb which in turn links to info.ebayinc.com - the first "Update: Wednesday, May 21, 2014" on that page is a press release, which probably explains why users first found out about this sorry state in the papers. Granted it may have been the best way to get maximum coverage quickly, as many users may not go online every day, but it does look like eBay cares more about PR than actual customers.

  18. Nunya Biznas
    FAIL

    O rly?

    It strikes me as odd (although it probably shouldn't at this point) that a single employee credential would give complete access to their systems, doubly so for the for a server containing the most sensitive data... I wonder if there is an HVAC technician they can blame like Target did!

  19. david 12 Silver badge

    Got my email notification today, May 27, which makes it 4 days after this article, 7 days after the announcement.

    The email notification was cleverly written in idiomatic marketing speak, to make it look like it came from a third-world scammer.

  20. Anonymous Coward
    Anonymous Coward

    OK, so I changed my password when the media told me wtf had been lost by the online tat bazaar...

    But how do I change my first name, family name and Date of Birth?

    And how the @#$%! can I change all the email and physical addresses, phone numbers and other private information that they would never let me remove from their wretched system?

    But don't worry. They have done some checking and "... have no evidence that any customer financial or credit card information was involved"

    So now we have to wait until someone comes up with some evidence of that. Don't hold your breath though, it certainly won't be an eBay person.

    If they didn't have the details of every account waiting in some table or backup file, they'd have said so. But they keep the lot, so they are now liable for it, or rather, highly unreliable.

    They demand your data. They store it and never let you change it: "all your data belong to US!"

    But then, inevitably they share it with the world.

    Is eBay a Circus or a bunch of Clowns pretending to be?

This topic is closed for new posts.

Other stories you might like