Ebay hacked again!!

[Manabi]

Quote:

Originally Posted by bookaho!ic

whats more worrying is they were hacked 3 months ago and only now are we being told!!! i never got an email saw a story on ten oclock news last night

They only discovered the breech two weeks ago, and had to investigate thoroughly to see what was compromised before they could announce anything. That could easily take a week, so they're only about a week late on announcing this.

Even so, they're handling it horribly. I don't think I've ever seen a worse response.

Quote:

Originally Posted by Froide

I so agree with the title, tone, and content of Angus Kidman's Lifehacker Australia article: "eBay Demonstrates How Not To Handle Being Hacked" (May 21, 2014, 6:30 am).

I agree with it too, but you probably wanted this link instead. Looks like you accidentally linked the first article instead.

[Catlady]

Quote:

Originally Posted by Manabi

That sounds like someone trying to get into your account. Could have been a simple mistake (got their account name/E-mail address wrong while trying to reset their own), or someone using the stolen data. I'd bet on it being a mistake though, the people with the data wouldn't need to reset it.

I've gotten that same e-mail now two more times. I think it's supposed to be the notification.

Over the past few months I've gotten dozens of "forgotten passwords" e-mails from eBay that are definitely triggered by attempts to get into my account, but these yesterday and today were different. In any case, I did reset the password, but not through the e-mail link.

I was more flummoxed by the text messages, actually--they were just plain odd.

[Byrdie]

I haven't heard anything yet from ebay, and I buy a lot of old records there, stuff I can't get anywhere else. Guess maybe I'd better change my password.

[Atunah]

Only way I even heard about this was seeing a scroll bar on CNN yesterday. I changed my password then. Also paypal just in case.
Haven't heard anything from ebay.

If the hackers got the info a while back, they already have it. I can change my password until the cows come home. They already have my address, birthday and all that stuff, right? Not that it isn't a good idea to change passwords, but still.

I just dealt with a hack this week when someone hacked into my Walmart account and happily ordered cell phones that also had phone cards attached that get emailed. They emailed the cards to their email and I got stuck dealing with 2 phones shipped to my address. All they wanted where the email codes for the minutes. I finally got that straightened out with cancelled CC and refusing delivery of the stupid phones. WalMart was no help of course.

I feel sometimes like its playing russian roulette anytime I do anything online that requires my address, payment. Since pretty much everything is done online now, I don't have much choice.

[Manabi]

Quote:

Originally Posted by Catlady

I've gotten that same e-mail now two more times. I think it's supposed to be the notification.

I doubt it is, so far very few people have gotten any e-mail at all, so getting four is really suspicious. The good news is that even if it IS someone trying to get into your account, they're failing.

Quote:

Originally Posted by Atunah

If the hackers got the info a while back, they already have it. I can change my password until the cows come home. They already have my address, birthday and all that stuff, right? Not that it isn't a good idea to change passwords, but still.

Well you definitely want to change the password, logging into a compromised account makes scamming sellers quite easy and eBay's system for dealing with those kinds of problems isn't exactly quick.

I don't worry too much about name/address/birthday, that info isn't hard to find for any of us anyway.

[rkomar]

Quote:

Originally Posted by Byrdie

I haven't heard anything yet from ebay, and I buy a lot of old records there, stuff I can't get anywhere else. Guess maybe I'd better change my password.

It won't hurt to change it, even if it wasn't compromised. Why take chances? So, I think your instinct is right on this.

[rcentros]

Quote:

Originally Posted by Lynx-lynx

However, it said that changing the passwords was "best practice and will help enhance security for eBay users".

I've been a registered user on eBay since March, 1997 (when you could still browse everything in a specific category). I actually bought items there before registering as, originally, you didn't have to register to buy. Seventeen plus years (I'm getting old). This is the first time I've ever changed my password. I figured I've had a long run, why test fate any further.

[jersysman]

It's been so long since I used eBay, I don't even remember my password.

[49Kat]

Wow...I didn't receive any notification from eBay, but I went there anyway and got the password reset. I also removed the link to my Paypal account. I haven't used eBay in years, but not quite ready to close the account yet either. And the Paypal account is now further locked down with a security key. I wish eBay would do the key thing as well without having to link to Paypal.

[calvin-c]

Quote:

Originally Posted by Manabi

They only discovered the breech two weeks ago, and had to investigate thoroughly to see what was compromised before they could announce anything. That could easily take a week, so they're only about a week late on announcing this.

Even so, they're handling it horribly. I don't think I've ever seen a worse response.

Yes, and no. Even though the 'hack' came from obtaining authorized user logins they should still have discovered it sooner-if they were really concerned about security. I worked computer security, I know. Standard auditing would have logged even authorized user access to sensitive data. Unless the 'authorized user' was a DBA-and if that's the case then the DBA should probably be fired-then the bulk copying should have triggered an alarm. (A DBA whose login is stolen is like a security guard letting his keys be copied.)

I went to eBay as soon as I read the story-and couldn't find a 'straight-up' password change function. I did find one, eventually, by following a question about what to do if I find that somebody else has used my account. Really-standard security practices are to change passwords frequently. So why would a company that's really concerned about security hide that function?

I guess that tells everybody how concerned eBay really is about security. (FWIW I use eBay maybe twice/year so I don't remember my login but I do write it down. That used to be a no-no but these days more 'hacks' come online from easily guessed passwords than from people physically accessing your office. Besides I keep my written-down passwords in a lockbox.)

[Froide]

Quote:

Originally Posted by Manabi

They only discovered the breech two weeks ago, and had to investigate thoroughly to see what was compromised before they could announce anything. That could easily take a week, so they're only about a week late on announcing this.

Even so, they're handling it horribly. I don't think I've ever seen a worse response.


I agree with it too, but you probably wanted this link instead. Looks like you accidentally linked the first article instead.

Thank you for the heads-up, Manabi. I've corrected the link.

...Still awaiting my email from eBay. Tick tock...

EBay's response to this mess has been egregious. I hope they'll comply with legislators' requests that eBay provide free credit monitoring services to affected users. It's the least eBay could do; their breach is larger than those of Target, disclosed last December, and of TJ Maxx/Marshall, in 2006.

[frahse]

Quote:

Originally Posted by BenG

Paypal passwords weren't affected.
http://blogs.wsj.com/digits/2014/05/...-about-paypal/

Thanks.

[Manabi]

Quote:

Originally Posted by calvin-c

Yes, and no. Even though the 'hack' came from obtaining authorized user logins they should still have discovered it sooner-if they were really concerned about security. I worked computer security, I know. Standard auditing would have logged even authorized user access to sensitive data. Unless the 'authorized user' was a DBA-and if that's the case then the DBA should probably be fired-then the bulk copying should have triggered an alarm. (A DBA whose login is stolen is like a security guard letting his keys be copied.)

I wasn't commenting on whether they should have discovered it sooner (they should have), just that the reality is they only discovered it two weeks ago so it's unfair to say they waited months to report the breech it was discovered.

Quote:

Originally Posted by calvin-c

I went to eBay as soon as I read the story-and couldn't find a 'straight-up' password change function. I did find one, eventually, by following a question about what to do if I find that somebody else has used my account. Really-standard security practices are to change passwords frequently. So why would a company that's really concerned about security hide that function?

That was my experience too, I have never had so much trouble finding where to change a password. It very much felt like they didn't want anyone to do so.

Quote:

Originally Posted by calvin-c

I guess that tells everybody how concerned eBay really is about security. (FWIW I use eBay maybe twice/year so I don't remember my login but I do write it down. That used to be a no-no but these days more 'hacks' come online from easily guessed passwords than from people physically accessing your office. Besides I keep my written-down passwords in a lockbox.)

I use a password safes myself. on two levels. I use LastPass for ease of use for stuff that's not terribly important (forums and such) and KeePass without a browser plugin for stuff that's important (banks, credit cards, etc.) Almost all of my passwords are totally random ones that are highly unlikely to be bruteforced anytime in the near future.

[WT Sharpe]

Well, this just sucks. These breeches of security are getting more and more commonplace, and it's not just eBay/PayPal. If a new system for guaranteeing identity isn't devised soon, we'll all find ourselves victims of identity theft.

[HarryT]

I got an email about it from eBay today. I actually changed my password last week, of course.