Received
"eBay Password Reset Required" @ 07:16 this morning.
eBay is facing multiple investigations after a security breach that spilled the personal information of 145 million users, along with their passwords, which were encrypted in some as-yet-unknown way. The online tat bazaar is being hit from both sides of the Atlantic today, with state attorneys-general in the US launching a …
What?
I expected the ICO to have already served an assessment notice on eBay's UK head office covering their UK activities for a compulsory audit to assess whether the organisation's processing of personal data follows good practice. Additionally, they probably should also serve an assessment notice on eBay's other UK business operations: PayPal and GSI Commerce ...
So what if the people and servers etc. are located outside of the UK (http://pages.ebay.co.uk/aboutebay/contact.html ), better to be seen to act and put some politicians noses out of joint than to be seen to dilly dally, wring hands etc..
Sigh.... it's only a matter of time before the same thing happens to Amazon et al...information wants to be 'free'..between hackers and the NSA...... keeping secrets in the internet age is becoming troublesome...and I'm running out of addresses that I use in my passords, fortunately I've just moved to Llanfairpwllgwyngyllgogerychwyrndrobwyll-llantysiliogogogoch...
"Easier said than done, it seems bozo the clown was in charge of the design of their password change system and you can't paste in a new password...."
I could. In fact, I generated a new 20-character password with PWGen, and pasted that in.
I changed mine through the australian leg of eBay, so, they might be "lagging behind" compared to other parts of the world.
But your comment still stands, I've been in that position with other web sites, and left strongly worded comments about their practice. One replied stating that once a string is in the windows copy buffer, it is not only widely insecure, it's widely available to other software for the asking - actual keystrokes are not open to that. I said once a keylogger is in your system, it won't matter anymore.
Like you said, if you're dealing with bozo any hair-brained idea they get becomes gospel and no-one is to question it anymore.
The critical thing we in IT need to take from this is to review our own security and procedures.
There's been several high profile companies caught out in recent months. We're screaming and shouting because we expected better of them.
But are we sure our own house is in order?
No, I mean really sure - like go and check Mr CIO, it's your job on the line.
Ebay have previously advised me to ignore all emails from them that do not mention my eBay ID.
I did get an email (possibly) from them, but not quoting my eBay ID, so by their own rules I must ignore it, because it's probably spam...... they are a bunch of divvies, honestly....
I closed my eBay account, and since they own them my Paypal account too, a few months ago due to concerns regarding their attitude to security. I'd made some changes to my account which generated a couple of e-mails to me. Both e-mails contained what eBay claimed was the IP address from which the changes were made, for security purposes. One of the e-mails had my correct IP, the other one that geolocates to somewhere in India.
I appreciate that this issue could be due to factors outside of eBay's control, but equally it could be an issue with eBay. However, I found it virtually impossible to contact anyone with sufficient information to report this potentiall issue to, and everyone I spoke to was utterly clueless with regard to basic security issues. I was even asked at one point to explain to them what an IP address was.
The combination of ignorance and brick walls was enough to convince me that eBay don't take customer-side security particularly seriously, and since I'd not used them for years I decided I'd be better off without them. Now I just have to hope that the database that was breached isn't one that contains details of ex-customers, given how shockingly poor eBay have been with regard to contact current customers I highly doubt they would have the initiative to contact ex-customers who may be affected.
I'm sorry, but who does this spokeswoman think she's fooling
" Spokeswoman Amanda Miller has said that the website uses “sophisticated, proprietary hashing and salting technology to protect passwords”
All that means is they combine the fields and add a salt, which is rule #1 in the 101 list of things to do for a user's password
Unfortunately, rule #2 is "Do not store the password in the same database as the username, but use a unique foreign field to map between two separate tables in two separate databases"
If only they had got as far as reading rule #2. Incompetent idiots!
ICO’s Twitter... that the data watchdog was considering a probe of the eBay hack.
Graham told Sky News.. his team had previously fined Sony £250,000 for its data breach.
Never mind the issues faced by actual consumers, fine them - this is how the merry-go-round works
Its the same in all and anything probed over in the UK, if it has value / incentive to make something of value it will be probed - if not then no headline.
I mean our safety security first then how about fines
This is identical to late trains and so on - Fine late trains but as a consumer if it's not an hour late it is still on time..
As a seller and buyer on ebay for the past 15 years I am really angry with Ebay for not being more public about this information, as of yesterday was wondering myself and had to search closer to find out that it was Mandatory that you change your password to be able to sell or purchase on EBAY and say in the updates that messages would be going out to all registered user that they must change it, good job ebay how long is this going to take to informer everyone you MUST CHANGE PASSWORD instead of saying you suggest that you change it, does ebay know what this is costing all the small businesses in sales because people are afraid to buy or not sure what to do. When will EBAY take responsibility for this?????????
I have a nag screen telling me to change my password, even though I've done it. eBay seems to know what I've bought, what I've looked at etc., so you might think that they'd notice that I've changed my password and turn off the "nag".
And what's with the trend for "following" sellers and "liking" things. Trying to turn into another "Stalkbook"?
There's now a little "password update" link at the top of the My eBay page which leads to a short blurb which in turn links to info.ebayinc.com - the first "Update: Wednesday, May 21, 2014" on that page is a press release, which probably explains why users first found out about this sorry state in the papers. Granted it may have been the best way to get maximum coverage quickly, as many users may not go online every day, but it does look like eBay cares more about PR than actual customers.
But how do I change my first name, family name and Date of Birth?
And how the @#$%! can I change all the email and physical addresses, phone numbers and other private information that they would never let me remove from their wretched system?
But don't worry. They have done some checking and "... have no evidence that any customer financial or credit card information was involved"
So now we have to wait until someone comes up with some evidence of that. Don't hold your breath though, it certainly won't be an eBay person.
If they didn't have the details of every account waiting in some table or backup file, they'd have said so. But they keep the lot, so they are now liable for it, or rather, highly unreliable.
They demand your data. They store it and never let you change it: "all your data belong to US!"
But then, inevitably they share it with the world.
Is eBay a Circus or a bunch of Clowns pretending to be?