Ebay hacked again!!

[Lynx-lynx]

The BBC:
The US firm Ebay said a database had been hacked between late February and early March, and had contained encrypted passwords and other non-financial data.

The company added that it had no evidence of there being unauthorised activity on its members' accounts.

However, it said that changing the passwords was "best practice and will help enhance security for eBay users".

The California-based company has 128 million active users and accounted for $212bn (£126bn) worth of commerce on its various marketplaces and other services in 2013.

It said it would be contacting users to alert them of the issue via email, its website, adverts and social media.

A spokesman added that the firm's engineers were in the process of rolling out a feature that would oblige members to choose new passwords when they next logged in, which should be live in each of the countries eBay operated in by the end of the day.


Here's the Guardian's Q&A
Ebay's announcement that a database holding the personal details of users – potentially all 223 million worldwide – was hacked raises a number of serious questions.

It's the biggest reported hack ever in terms of the number of people affected, but does not affect financial data, which is stored separately.

Spoiler:

Q: Do I need to change my eBay password?

A: Yes. eBay is recommending this to all users.

Q: But I just changed it a few weeks ago when all the Heartbleed stuff was happening. Do I really need to?

A: eBay says that it discovered the hack about two weeks ago, and that it happened between "late February and early March". If you haven't changed your password since then, you should.

Q: What data was stolen?

A: eBays says that the database with users' customer names, encrypted password, email address, physical address, phone number and date of birth was breached. It hasn't said how much of that data was copied. It's best to assume that it all was.

Q: Who was behind it?

A: eBay hasn't said, and it's unlikely that any group would claim responsibility. But the fact that the hackers targeted eBay and its customer database suggests that they were commercially oriented, rather than an Anonymous-style "hacktivist" group.

Q: What could someone do with that data?

A: That varies from country to country, but enterprising villains could certainly use it for online identity theft.

Q: Was any financial data stolen?

A: eBay says not; PayPal, its payment arm, says it was not affected, and that all its information is encrypted.

Q: Should I change my PayPal password?

A: If you want to be ultra-cautious, yes, but make it different from your eBay one.

Q: What's the biggest risk from this hack?

A: The most obvious one is "phishing" emails pretending to be from eBay asking you to reset your password, but which direct you to a fake site that will steal your password. The problem is that eBay is going to be sending out lots of emails asking people to change their password.

Normally, you can recognise a real eBay email because it contains your username in the subject line – which run-of-the-mill phishing attempts don't have. (Those tend to say something like "eBay user, change your password!" and should always be ignored.)

But if hackers have got hold of a database with your email address and username (aka customer name), then they can format an email which will look just like the real thing – but lead you to a fake site that looks like eBay but will capture your login details.

To avoid this, don't follow any links in emails that seem to come from eBay. Type the site's address into your browser. Advise your friends (and relatives) about this too: if eBay's username database has leaked to any extent, all those people are very vulnerable to phishing.

Q: Do I have to change my "secret question", which is used if I can't remember my password?

A: No. eBay says that this was stored separately.

Q: What method was used to encrypt the passwords, and how hard will they be to decrypt?

A: eBay hasn't yet answered our question on this. Internet companies use increasingly sophisticated methods to encrypt passwords; the idea is that your password should be transformed in a one-way process into a string of near-random characters. When you (or someone else) enters a password for the account, it undergoes the same processing, and the resulting strings of characters are compared. If they're the same, the password entry is accepted; if not, it's rejected.

Q: Why did eBay wait two weeks before telling everyone of a break-in that happened in February?

A: The company hasn't explained the timeline, but security breaches of this type typically take some time first to detect, then to determine their extent, and then to close against further hacks. It's only then that most companies announce they've been affected.

Q: Will eBay be introducing two-factor authentication (where you have to enter a code from a mobile device or previously printed list in order to log in from a previously unused device)?

A: We have asked, but so far haven't received an answer. The large email suppliers (Google, Microsoft, Yahoo, Apple) all offer "2FA" security, which ensures that even if someone steals your password they can't log in from a new device.

[Lynx-lynx]

I've never used them, so one less worry for me!

[Manabi]

They're taking their time on sending out E-mails. Also, when I went to the site yesterday afternoon (eastern US) there was no notice about the hack on their site anywhere to be found.

This slowness of notifying people is bad. Good thing the press has done a lot of it for them.

Some are speculating that their password reset system can't handle the load, because it was timing out on people by evening time.

[Prestidigitweeze]

Good to know that only my password and username were hacked. I feel so much safer knowing that the way to access my personal info was stolen but not the info itself. DO NOT BE ALARMED BY THIS MESSAGE.

Message edited by moderator to delete joke which he personally did not find amusing.

[carpetmojo]

[little and large]

Worrying!

[DiapDealer]

I haven't been logged in in so many years that I wouldn't be able to remember my password to be able to change my password. Not to mention that the email address I used back then is defunct, so resetting my password probably isn't an option. Think I'll just do nothing instead; and hope that when they finally break the encryption on my password, they find the account suspended for inactivity.

[frahse]

Quote:

Originally Posted by Prestidigitweeze

Good to know that only my password and username were hacked. I feel so much safer knowing that the way to access my personal info was stolen but not the info itself. DO NOT BE ALARMED BY THIS MESSAGE.

Message edited by moderator to delete inappropriate content

Now, now.

: )

[frahse]

Any word on the Pay Pal payment system?

[HarryT]

Quote:

Originally Posted by frahse

Any word on the Pay Pal payment system?

What about it? Seems to be working fine - I used it only this morning.

[Catlady]

I got an email from eBay that I guess was their notification; it told me how to reset my password but said nothing about why I should.

Today I had two text messages giving me two different temporary eBay PINs--no idea what that's about.

[BenG]

Quote:

Originally Posted by frahse

Any word on the Pay Pal payment system?

Paypal passwords weren't affected.
http://blogs.wsj.com/digits/2014/05/...-about-paypal/

[Manabi]

Quote:

Originally Posted by HarryT

What about it? Seems to be working fine - I used it only this morning.

Oddly enough I just bought the new Bundle Stars bundle a few minutes ago and it took two tries for Paypal to work. Logged in, clicked continue to purchase, spinner spun for a while, then reloaded the page and made me log in again. Worked the second time, but was rather strange.

Quote:

Originally Posted by Catlady

I got an email from eBay that I guess was their notification; it told me how to reset my password but said nothing about why I should.

Today I had two text messages giving me two different temporary eBay PINs--no idea what that's about.

That sounds like someone trying to get into your account. Could have been a simple mistake (got their account name/E-mail address wrong while trying to reset their own), or someone using the stolen data. I'd bet on it being a mistake though, the people with the data wouldn't need to reset it.

[bookaho!ic]

whats more worrying is they were hacked 3 months ago and only now are we being told!!! i never got an email saw a story on ten oclock news last night

[Froide]

Alan Henry wrote about this matter yesterday morning, in Lifehacker: "eBay Hacked, Change Your Passwords Now" (May 21, 2014, 7:05 am):

Quote:

"Attackers made off with names, addresses, email addresses, phone numbers, birth dates, and of course, encrypted passwords. eBay explained that financial info like credit card numbers and other sensitive data (like PayPal accounts) are kept in a separate encrypted database which wasn't compromised. They also said they've found no evidence of unauthorized access or activity by registered eBay users—which is code for "we don't think anyone's used these passwords yet." According to the statement, intruders compromised employee accounts first, and used their access to get the data they really wanted. They discovered the breach about two weeks ago, but the actual attack took place back in late February and early March."

Hackers made off with sufficient information to do a lot of damage, identity theft-wise. And given the closeknit nature of PayPal and eBay, I changed my info at BOTH sites (but won't use either ever again, going forward). Shame on eBay for not warning clients sooner! I'm still awaiting their email "informing" me of the breach and advising me to change my password, and according to today's news reports, I'm in good company.

I so agree with the title, tone, and content of Angus Kidman's Lifehacker Australia article: "eBay Demonstrates How Not To Handle Being Hacked" (May 21, 2014, 6:30 am).