
eBay customers’ personal data was compromised in March - patchoulol
http://www.ebayinc.com/in_the_news/story/ebay-inc-ask-ebay-users-change-passwords
======
panarky
The spin is atrocious. The big story is not the headline, that users must
change passwords.

The big story is that ebay leaked personally identifiable information.
Naturally this is buried four paragraphs down.

    
    
      The database, which was compromised between late February and
      early March, included eBay customers’ name, encrypted password,
      email address, physical address, phone number and date of birth.
    

Don't patronize me with empty platitudes like "changing passwords is a best
practice".

Tell me to brace for an inevitable wave of phishing and identity attacks.

Tell me that bad guys will try to steal my other online accounts with this
information.

Tell me to trust no one because bad guys now look legit with my home address,
phone number and DOB.

Pro tip: put the real story in the headline. That's also a "best practice".

~~~
joshvm
Don't forget that it was nearly three months ago. Why weren't users informed
immediately?

Do I need to update my PayPal account too? (my email is the same, but both
passwords are long and randomised so not too bothered). So now they know my
email address and my home address - and my date of birth, always convenient.
Oh and as someone pointed out, I have PayPal automatically linked to my eBay
account. Great.

Which physical address? My default delivery? My invoice address?

So a quick update from the BBC: "something it only became aware of a fortnight
ago"

They only just realised, essentially. Although it's worrying that it took an
eCommerce site so long to catch it. And that's still two weeks when eBay knew
and nobody else did.

~~~
twistedpair
Damn, PayPal updated their password reset UI in the last week, but you can
still only enter _20 characters_ for a site that holds cold hard (electronic)
cash. Really guys? If you're really hashing them, why does the length matter?
The DB column width doesn't need to change. Want us to submit a patch?

P.S. I wonder if they were expecting a lot of resets, hence the redesign
rollout?

~~~
andrewpi
You think that's bad? Charles Schwab Bank only allows you 8 characters for the
password. No special characters either.

~~~
ssharp
AMEX also has surprising restrictive passwords.

Is the security surrounding password resets so bad that it's more secure to
force easier to remember passwords?

~~~
alxndr
So does Discover. When I wouldn't take "just because" for an answer, IIRC the
explanation was that it resulted in fewer password reset requests, so I
believe your take is correct.

------
leorocky
> The company also said it has no evidence of unauthorized access or
> compromises to personal or financial information for PayPal users. PayPal
> data is stored separately on a secure network, and all PayPal financial
> information is encrypted.

Ebay being hacked kind of scares the hell out of me because PayPal has my
checking account information with direct access to withdraw funds. A hacker
could rob me blind. Like seriously the owner of PayPal should not be telling
me this "we have no evidence of" bullshit because there's no alternative to
PayPal that online stores actually use and changing your checking account
number and routing number is very very painful. You have to get new checks,
you lose checking history. Fuck.

~~~
archon
I know it's not always practical for everyone, so I can't give it as general
advice, but this kind of situation is exactly why I isolate my "real" checking
account. My primary account (the one to which my paychecks are deposited)
doesn't have a debit card, and I never use the account number. I have a
different account that I use for online services like PayPal, and for
recurring charges online that require a credit/debit card, which I transfer
money into on demand.

It's extra work for me, but it's also less risk. Unless somebody gains access
to my online banking account, they're not going to be able to access my
primary funds account.

~~~
bentcorner
This is also sort of how I operate.

I have one checking account that my paycheck goes into, and I pay
monthly/yearly recurring bills out of this account. There is nothing online
for this account, the only way money gets out is that I get my bank to send
somebody a check.

I set up a weekly auto-transfer to a separate account which my wife and I
carry around debit cards for. This is for groceries, gas, and personal
shopping stuff, including online.

~~~
vhost-
Are your accounts with two separate banks? Last time I tried to open another
account with a separate bank, I got denied because I opened an account within
the past year.

~~~
ars
Not the OP but I do the same - two accounts, one for PayPal, and my real one.

It's two checking accounts in the same bank. Just call your bank and ask them
to make you another account.

With my bank I don't even have to call them, I can make one from the account
page.

By having it in the same bank I can leave the PayPal account always at 0, and
transfer the money easily to the other account.

~~~
jacquesm
Make sure that second account has a flag that says it can not be overdrawn
under any circumstances.

Banks are not always as smart as they should be and sometimes allow an account
of a customer 'in good standing' or with a credit balance on another account
to be overdrawn. Especially when it is done via direct debit.

This sort of thing can _really_ bite you.

------
wrboyce
"The database, which was compromised between late February and early March,
included eBay customers’ name, encrypted password, email address, physical
address, phone number and date of birth. However, the database did not contain
financial information or other confidential personal information."

…So, just my entire identity then? eBay really seem to be down-playing the
severity of this.

~~~
gvb
To put it more strongly, one phish away from ruin.

------
danielweber
FWIW, "ebayinc.com" totally screams "phishing attempt" to me.

~~~
droopyEyelids
You have to remember that eBay is an ancient tech company run by the old MBA
types that didn't really understand what value to place on engineering.

All their internal systems are maintained by vendors, VARs, and contractors.

So weird stuff like the ebayinc.com domain is to be expected. As is this hack.
Also it'd be interesting to know how it was detected, and how the extent of
access was determined. But if my prediction is correct, we will never see a
truly open blog post about it. First, because it's not clear to me that eBay
"infosec" is up to the task. Second, because eBay believes more in
compartmentalization, secrecy, misdirection etc. than 'openness'.

~~~
oneeyedpigeon
Take a look at ebay's Account Management interface. Remember what it was like
to use the web 15 years ago. Bear in mind that ebay owns PayPal which has
quite possibly the worst api I've ever used, along with an interface that is
even worse than ebay's. Wonder what the hell this company is doing other than
lying back and counting the dollars.

If it wasn't for a tiny amount of 'reputation' which might make others more
willing to deal with me, I'd close my ebay account right now.

------
AdmiralAsshat
Week 1: "We have no reason to believe that any confidential information has
been compromised."

Week 2: "We have observed some limited and negligible instances of credit card
information being compromised that coincidentally happened to be linked to
eBay accounts. We consider this purely coincidental and feel it is no cause
for concern."

Week 3: "Oh god they took everything."

------
jgrahamc
Has anyone received an email from eBay about this? I'm guessing that the
phishers are going to be faster at getting out fake change password emails
than eBay themselves.

------
orbitingpluto
Since PayPal == eBay, I just went to change my PayPal password as well.

PayPal went full retard. The security confirmation question?

Please supply your full credit card number ending in ####.

Um, that's the information I'm trying to protect in the first place.

edit: sorry about the "full retard" \- trying to quote from Tropic
Thunder/RDJ. did not mean to offend

~~~
saurik
Doesn't that make it the perfect question? For someone to answer the question
correctly, they have to demonstrate that they don't even need to do so,
because they already know the thing you wanted to protect?

~~~
orbitingpluto
Along that reasoning... I'm from your bank. Please give me your account # and
PIN.

~~~
saurik
No, that doesn't work: if you really think that is a good argument, then
everyone is also a fool for believing "enter your password here to log in";
remember that you are answering a password reset challenge question at the
same site you would normally enter your password.

------
freehunter
>Cyberattackers compromised a small number of employee log-in credentials

This bothers me. No one cares how many employee logins were stolen. It only
takes one to cause a huge amount of damage. Is anyone reading this thinking
"oh, it's okay, they didn't take too many employee logins"?

~~~
mhurron
> No one cares how many employee logins were stolen.

Well that's not entirely true. First off, it indicates that the breach was
relatively contained. Or at least EBay want's you to think that.

The smaller the number the less chance there is that the credentials were to
more privileged employees. Not every employee is created the same. Not every
employee has access to account data and not every employee could send
customers corporate communications.

Now yes, the who they got is important over the how many, but the how many can
be stated without giving too much away.

~~~
freehunter
Even still, if the number of Unix admins at eBay was only 0.001% of the total
number of employees, the fact that 100% of their Unix admins had their
accounts compromised means that, yes, a small number of employees had their
accounts breached but it would still result in 100% of their user accounts
being breached.

------
Theodores
This is headline top-story news on the BBC right now therefore it must be
'big'. Yet no evidence of anyone making unauthorised access.

We have had a resurgence of 'Snowden' stories in the last few days, so here is
a hypothetical scenario: what does a company do if the hackers turn out to be
NSA/GCHQ? It is unlikely that they would drop an email to explain that they
had just stolen the whole customer database because of some 'al-qaeda' based
reasoning, so you would not know it was them. If you suspected it was them
then people would wonder if you had taken your meds. If you got the FBI
involved then they would tell you it was some script kiddies rather than the
Peeping-Tom-Brigade.

Or, if you did know it was the NSA, then you might think that information was
safe in their hands and not feel the need to tell the customers.

I look forward to when we get stories where the NSA are explicitly blamed for
a data breach instead of some random Chinese hacker, and that emails are sent
out saying 'we have been hacked by the NSA again, can you change your
passwords please?'. If the NSA crawled out of the darkness to deny the breach
then nobody would believe them.

~~~
planetjones
I wish the media could report these stories accurately. The BBC News ticker is
currently saying:

"Ebay asking people to change passwords after a cyberattack compromised
database containing encrypted user details"

Not True! The user details were unencrypted, bar the password.

------
davb
And neither eBay nor PayPal allow me to paste a secure password from KeePassX.
_sigh_

Edit: I can now paste on eBay (not sure what went wrong the first time) but
PayPal is still actively preventing pasting a new password.

~~~
robin_reala
I’ve not used Keepassx, but I have no trouble pasting from Lastpass…

~~~
twistedpair
You _can_ paste in PayPal passwords on the password reset tool _this week_ ,
but it's a new tool from last week when I last reset it. Wonder what made them
update it?

~~~
davb
I tried this around an hour ago and can't paste, it's being explicitly
blocked.

Perhaps my region (UK) still uses the old password change page? For
clarification, I'm using the change password function once logged in and not
doing a forgotten password reset.

~~~
twistedpair
I'm referring to a new Bootstrappy dialog (blue and white candy buttons)
available when you login from Paypal.com

~~~
davb
Ah. I don't see that. I see the new front screen (with large HTML5 video
background) but when I log in I've got a rather dated interface
[http://imgur.com/KVSREgH](http://imgur.com/KVSREgH)

This doesn't let me paste, giving the aforementioned tip that I should
copy/paste.

------
oneweirdtrick
Shouldn't eBay have emailed all their customers by now? Why are we learning
about this through a blog post?

~~~
LeoPanthera
The news "leaked" a bit early. [http://grahamcluley.com/2014/05/change-ebay-
password/](http://grahamcluley.com/2014/05/change-ebay-password/)

------
dang
We changed the title because, as users pointed out, it was misleading.

------
pling
Considering the situation, its either poor timing or related but I can't
change my PayPal password. Get a blank page.

Not confident.

To be honest it takes the piss as they are spamming UK TV with adverts for how
secure PayPal is at the moment.

Really wish I never signed up but eBay has a monopoly on the payment types
now.

~~~
anujnayar
PayPal was not affected. I just tested changed my password and it worked fine.
Info for eBay users are here.
[https://info.ebayinc.com](https://info.ebayinc.com)

------
Sami_Lehtinen
But don't use DuckDuckGo's password generator. [http://www.sami-
lehtinen.net/blog/random-passwords-using-duc...](http://www.sami-
lehtinen.net/blog/random-passwords-using-duckduckgo)

------
brador
Is this only for ebay US or are other country versions affected too?

~~~
dijit
everyone.

------
askew
Unfortunately, attempting to reset one's password results in:

> Sorry. We're currently experiencing technical difficulties and are unable to
> complete the process at this time.

Swamped already?

~~~
Touche
Why are they not automatically resetting passwords?

~~~
anujnayar
Ebay is asking for passwords to be reset. PayPal is not affected.

~~~
Touche
that doesn't answer my questions, why do the stolen passwords work, why aren't
they just sending password reset emails?

------
hpoydar
Took a trip back to 2002 and visited the Account Settings / Personal
Information screen to change my password. No alerts or redirects on login to
change credentials. (But evidently an exciting "deal frenzy" is important
enough to highlight in all caps and red text in the nav bar). Ok, so the
PayPal DB wasn't affected, but does that matter? PayPal account is fully
linked up there.

------
ExpendableGuy
So I logged into eBay for the first time in over a year to change my password,
and noticed that eBay edited my reply to a buyer's feedback.

Has anyone else heard about eBay doing this? I have no way to edit it back to
the way it was from what I can tell. It's infuriating -- they changed the word
"Buyer" to "Seller" to make it sound like my reply to feedback was referring
to myself.

------
UVB-76
Remember a couple of months ago when Icahn described eBay as the worst-run
company he'd ever seen? [1]

Seems rather prescient now. Their incompetence has just cost us all our
personal information.

[1] [http://www.cnbc.com/id/101467290](http://www.cnbc.com/id/101467290)

------
ericcholis
Being that important auxiliary details were compromised (name, phone, etc...).
Beginning to think that encrypting that information should be more standard.
Obviously this leads to trouble if searching by that information is
required....

~~~
twistedpair
It's call PII, Personally Identifiable Information. In many industries, there
are indeed strict requirements for protecting it... just not at Ebay, who, for
it's age, probably predates any such standard practices.

------
kmfrk
Any way to delete your account?

~~~
jr203fj2fuf
[http://pages.ebay.com/help/account/closing-
account.html](http://pages.ebay.com/help/account/closing-account.html)

~~~
kmfrk
But does that actually delete all user records?

~~~
stevekemp
It certainly deletes the public-facings parts you can verify.

However note that they claim it will take up to 180 days to delete your
account. (I went through this last year, getting sufficiently annoyed to close
both Ebay & Paypal accounts.)

------
rahimnathwani
_database containing encrypted passwords_

Does anyone know whether they used per-user salt?

~~~
christop
Salt is used with a hash function, not encryption, AFAIK.

Though whether they really are using encryption (of plaintext passwords?), or
whether they actually meant hashing is another question.

~~~
cschmidt
Exactly. It seems like business oriented press releases often say passwords
are "encrypted" when they really mean hashed (if you're lucky). So we can't
really tell from this.

------
icebraining
Oh, so this explains the spam! I use a different email address for each site,
and spam for ebay@[mydomain] became noticeable about two months ago. I should
really pay more attention to these signs.

~~~
UVB-76
Indeed, my primary email address sits on a personal domain, is only used on
'respectable' websites, and historically has received very little spam.

The last few months have seen a substantial increase. Presumably linked to the
eBay breach.

------
ChikkaChiChi
I'm getting tired of sites that limit password length. Microsoft limits you to
16 characters.

Storage is cheap and you shouldn't be skimping on the most sensitive field in
your dataset.

------
dodyg
I would be so fuckin' mad if the passwords aren't hashed.

------
darylfritz
eBay's password character limit is 20 characters. I use a password manager and
detest sites that limit your password length to < 100 characters.

~~~
unreal37
Do you find many sites that allow 100 character passwords? That surprises me.

~~~
smellf
It shouldn't matter at all - the hashing should be done on the client so they
wouldn't need to worry about server resources, and all output from a given has
function is the same size. Some hash functions may have upper limits, but I
doubt it. Ever md5 a multi-GB iso you downloaded from the Internet to verify
its integrity? It's the same thing.

------
morbius
I'm so tired of large corporations not taking infosec seriously. This is a
shame, in all honesty.

