Quote:
Originally Posted by Manabi
They only discovered the breech two weeks ago, and had to investigate thoroughly to see what was compromised before they could announce anything. That could easily take a week, so they're only about a week late on announcing this.
Even so, they're handling it horribly. I don't think I've ever seen a worse response.
|
Yes, and no. Even though the 'hack' came from obtaining authorized user logins they should still have discovered it sooner-if they were really concerned about security. I worked computer security, I know. Standard auditing would have logged even authorized user access to sensitive data. Unless the 'authorized user' was a DBA-and if that's the case then the DBA should probably be fired-then the bulk copying should have triggered an alarm. (A DBA whose login is stolen is like a security guard letting his keys be copied.)
I went to eBay as soon as I read the story-and couldn't find a 'straight-up' password change function. I did find one, eventually, by following a question about what to do if I find that somebody else has used my account. Really-standard security practices are to change passwords frequently. So why would a company that's really concerned about security hide that function?
I guess that tells everybody how concerned eBay really is about security. (FWIW I use eBay maybe twice/year so I don't remember my login but I do write it down. That used to be a no-no but these days more 'hacks' come online from easily guessed passwords than from people physically accessing your office. Besides I keep my written-down passwords in a lockbox.)