Change your Ebay passwords, security breach.

KIA · 21 May 2014 at 18:52

20 char max password size.

pastymuncher · 21 May 2014 at 19:31

First i heard of this was on the news just now. Nothing at all from Ebay. It's disgusting and companies need to be forced to make our data more secure.

darael · 21 May 2014 at 21:10

KIA said:
20 char max password size.

I think that's the recommended size - I'm using 64 characters.

Timber · 21 May 2014 at 21:14

pastymuncher said:
First i heard of this was on the news just now. Nothing at all from Ebay. It's disgusting and companies need to be forced to make our data more secure.

Fully agree. There needs to be tougher legislation with large penalties for companies who suffer security breaches like this. Would force companies to take security more seriously.

Seems to be so de rigueur for companies to release a BS PR statement after the event on how they take security seriously but not enough to stop some hacker taking ownership of a database with millions of user details on that includes all your sensitive details.

Completely unacceptable it's happened months ago and that eBay has known weeks ago and not told it's customers.

Homer-Simpson · 21 May 2014 at 21:56

Gzero said:
I think you missed the point... you can automate email, you can automate notifications at login to prompt password change.

Going to tell my friends and family to stay away from that site.

I completely understand the point, you can't just send 200+ million emails in 10 minutes. I understand it's all automated, someone isn't going to write an email to each person manually :rolleyes:

As said in my previous post I am also shocked they haven't/aren't forcing the password changes.

memyselfandi · 21 May 2014 at 22:09

Having logged into my eBay account to leave feedback on something I'm quite surprised that it hasn't given any messages about changing my password at all ...

d_brennen · 21 May 2014 at 22:13

cyber69 said:
They should provide a free credit check / report to all people affected

They should credit check all their customers and make the results available to the data thief. No point trying to defraud a broke ****

mushtafa · 21 May 2014 at 22:33

I can't believe they didn't send an email out to every registered account. I didn't know anything about the breach until I kept getting a page not found error and it telling me to change my password. It wouldn't let me log in though due to traffic. I changed my password and it's now 21 characters, I'm bound to forget it!

One · 21 May 2014 at 22:43

pastymuncher said:
First i heard of this was on the news just now. Nothing at all from Ebay. It's disgusting and companies need to be forced to make our data more secure.

Or people just need to be educated about how insecure most IT stuff is and how incompetent the majority of staff in a big company are and therefore you hold the risk on any info you hand over.

Companies are most successful in their growth period to becoming a big company, they quickly plateau into mediocrity after that.

metalmackey · 21 May 2014 at 22:47

I changed mine. Thanks to RoboForm I had it automatically generated and don't need to remember it

Gzero · 21 May 2014 at 23:26

Homer-Simpson said:
As said in my previous post I am also shocked they haven't/aren't forcing the password changes.

I haven't tried the ebay app on Android/iOS, but that might be the stopping point/reason.

Still think the mass email is the way to go:

"We were compromised in month, we have secured ourselves and plugged holes etc. You should change your password."

/if they copy the above, I want commission on every email.

dacads · 21 May 2014 at 23:29

everybody l

dacads · 21 May 2014 at 23:30

everybody loves ebay

Come on now let's all sing along to the eBay song

beh · 21 May 2014 at 23:32

Maybe I'm missing something here but what's the risk if the passwords are encrypted?

http://www.bbc.co.uk/news/technology-27503290 said:
"We all know that given enough time hackers can crack some encrypted password files," said Alan Woodward, an independent security consultant.

How long is a piece of string? Surely quite unlikely if you've a "strong" password and it's a modern hash?

Sin_Chase · 21 May 2014 at 23:36

Depends what password storage method eBay used.

Hashed only passwords would be a concern and vulnrable to rainbow tables.
Hashed + Salted would be far less of a concern, while technically not impossible to brute force or rainbow table it is highly infeasible.

The more concerning thing is the release of Name/DOB/Physical Address details. Not so easily changed...........

beh · 21 May 2014 at 23:46

Sin_Chase said:
The more concerning thing is the release of Name/DOB/Physical Address details.

The hackers could send everyone a birthday card?

Mucky_Pup · 21 May 2014 at 23:53

Changed mine when I first found out, now I can't log in until I change it again, thanks ebay.

IT Troll · 22 May 2014 at 00:23

eBay servers are really struggling under the load of 145 million password changes.

Monkeynut · 22 May 2014 at 00:34

Trying to change my password but getting a "Sorry, this action is not currently available". Servers getting hammered, pages are slow to load.

Sin_Chase · 22 May 2014 at 00:53

beh said:
The hackers could send everyone a birthday card?

That + identity theft.

You can guarantee there is more leaked that is not included in the news reports. Including things like telephone number if you set up SMS services or mobile 2-factor authentication.

What can someone do with that much information about you? Quite a lot. Basically potentially compromise any service that do not employ good security practice with things like secret questions or their own passwords. Short of actually possessing PHYSICAL identity documents you pretty much have someone's identity to use with what eBay have leaked.

You could conceivably sign up for services and intercept physical mail.