eBay is asking users to pick new passwords following a data breach earlier this year that exposed the personal information of an untold number of the auction giant’s 145 million customers.
In a blog post published this morning, eBay said it had “no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.”
Assisted by federal investigators, eBay determined that the intrusion happened in late February and early march, after a “small number of employee log-in credentials” that allowed attackers access to eBay’s corporate network were compromised. The company said the information compromised included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. eBay also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users.
The company said it will begin pushing out emails today asking customers to change their passwords. eBay has not said what type of encryption it used to protect customer passwords, but it previous breaches are any indication, the attackers are probably hard at work trying to crack them.
If you’re an eBay user, don’t wait for the email; change your password now, and make it a good one. Most importantly, don’t re-use your eBay or PayPal password elsewhere. If you did that prior to today, it’s a good idea to change that password to something unique at the other sites that shared it. And be extra wary of phishing emails that spoof eBay and PayPal and ask you to click on some link or download some security tool; attackers are likely to capitalize on this incident to spread malware and to hijack accounts.
eBay and PayPal users who haven’t already done so should consider using the PayPal Security Key, a two-factor authentication solution that can be used to add for additional security on both sites.
The passwords where encrypted but where they salted?
Anyway, I changed my password this morning
Better question is whether these passwords were hashed or just encrypted. If just encrypted then might as well steal the key with the employee credentials and go to town.
ebay put their notice re password change in amongst their rotating ad banners that you see when you login. So you may not see the notification at all if you go to another page on their site as soon as you login. What a botch up job of notifying their end users of a breach.
I really, really hope that when they say ‘encrypted passwords’ they mean ‘hashed passwords’…
or else this could turn into the sequel of Adobe…
To be fair, no one has actually discovered the decryption key for the Adobe dump yet.
I have the Paypal Security key, which I have used for several years, but I only recently added the key to protect my eBay account as well. I wasn’t asked by eBay to change my password after this security breach, although I probably will do so.
The key is a little gadget which could fit onto your keychain. I leave mine at home. When you sign into Paypal, after entering your password, the next screen asks for your security key code. The code is temporary and generated simply by pressing a button on the front of the device.
After I was a recent victim of a crime, theft of my laptop (among other items), of course, I had all my usernames and passwords saved in Internet Explorer. Can you say dumbass? I decided it was a good time to start using the security key with Ebay as I have already done for many years with Paypal. Personally, I believe adding this gadget to your keychain is a foolish and stupid decision – leaving it safely at home seems like the best and most secure choice to me.
When my next-door apartment neighbor was burglarized, that was my own similar wake-up call. I don’t store my passwords in the browser, but I keep them in .txt files on the hard drive, so that’s even worse 🙂 For actual daily use, I use a fingerprint scanner to log into sites.
My solution was to use full-disk encryption and require a password, or else a USB startup key, at system startup. If I come home and my computer’s gone, I’ll be really upset about my shiny new GTX760 😉 but not worried about my data. Ditto for the USB drive on my keychain… 256-bit AES encryption courtesy of Bitlocker To Go.
Maybe it’s a commentary on our modern-day lives, but my list of site credentials now contains… lessee here… 111. It’s no wonder people resort to password re-use. If I didn’t use biometrics, I would definitely go with a password-management software to avoid using weak or duplicate passwords.
Password manager?
I’ve been using SplashID for a few years and love it. Disclaimer: I have no ties to, or financial interests in, SplashData.
My bank encourages YubiKey ®, but I use LastPass for now. I am also not affiliated with anyone at all. Fortunately I have totally independent income, and will never need to shill for anybody.
Wanted to add: for years, Paypal has offered a digital option for smart phone users, instead of a physical security key device. The digital option with an app never seemed like such a bright idea to me – I don’t want everything loaded onto my iPhone. If my phone is stolen or if I lose it, I’d sleep better at night knowing that I never kept sensitive personal data stored on it.
Have you seen that new Wocket? It is not dependent on internet connections or RF, and uses biometrics for ID. You can put all your financial instruments in it. I suppose there are those that wouldn’t work in it, but it is new, so we will see how it all hashes out. It is on pre-sale for $149 dollars and I’m tempted to take the leap myself. Supposedly it is designed to accept 3rd party RF devices, but I don’t now anything about that yet.
This wouldn’t stop a Target type breach, as that is an in store problem, but you’d never have to worry about you wallet getting stolen again. It looks like it is very scalable, so things could get interesting there. I have no idea if that is a one time charge or not.
Busy day, Brian – 2 posts! Thanks for the tips.
cannot figure out how to set up a security key on ebay if you already have a security key using a cell phone on paypal. on paypal, it asks if you want to use your security key on ebay. click that link and it looks like you have to buy one of those device thingies to use as a security key on ebay. would appreciate anyone describing exactly how to do 2FA on ebay using a cell phone as the security key like you can on paypal.
(not that changing your ebay password and setting up 2FA is going to help much because the bad guys have names, addresses, phone numbers, and BIRTH DATES to do ID theft on a lot of people elsewhere. it’s like so what if you change your ebay password. the bad guys will get you elsewhere using all that personal information stolen from ebay….)
you can easily add 2fa to your account here:
https://scgi.ebay.com/ws/eBayISAPI.dll?ActivateSecurityToken&guest=1 it accepts the PayPal security token or Symantec VIP access app among others
I received the emailed warning from eBay today but when attempting to change my password eBay’s site was overloaded & would not allow a password change. Nice job eBay #Fail
On ebay.ca there is a notice of password change but it is buried in the rotating ad banners that one sees after logging in. However if you then go to another page on ebay you will not see this notice.
I checked and ebay.com has no such rotating ad banner with the password notification warning. Rotating banner ads have in the pass been a source of malware and I would think not the best place such a notice.
“Rotating banner ads have in the pass been a source of malware and I would think not the best place such a notice.” I have sent complaints to Youtube about their popup ads that claim that my security needs to be upgraded or that my registry needs fixing. The last ad read: “(critical) You need to clean your registry.” I was then instructed to download PC Health Boost. Another ad read: “(critical) You need to update your security.” Has anyone else seen these ads? Is Google actually running code on my PC to check my registry or security system? Is Google using its good reputation to draw in suckers? @Brian: Could you please do a story about questionable security advertising like the type that can be found on Youtube?
Those are just PUPs which don’t do anything, none of them are legit.
Download and run AdwCleaner from bleepingcomputer.com. My clients get drive by’d all the time and contract PUPs like that; this handy utility can take care of cr@p like that if you suspect you got hosed. I sometimes can only download and run it in safemode, because the AdWare blocks what you are trying to do sometimes. We might as well call things like that malware, but so many people get fooled into thinking they work, that the industry is hesitant to call a spade a spade.
Ebay doesn’t have two factor authentication yet, that’s part of their problem
They do offer two factor with a physical vasco Token. It was introduced by Paypal. I’ve had it for years.
Yep. So have I. I got mine shortly after they started offering it in like 2007 or 2008.
https://www.paypal.com/us/cgi-bin?cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside&bn_r=o
Doesn’t mention whether you can use one key with multiple accounts.
I understand that you can use one with 1 PayPal and 1 eBay account, but what about 2 PayPal or 2 eBay accounts?
Yes, people could set up SMS 2FA instead, but I’m curious about the constraints of this offering.
Yes, you can use the key with as many sites or accounts as you’d like. Each account is setup using the token serial number. All the site/service owner needs to do is associate the token serial number with the account(s) and it will work fine, no need to have multiple tokens.
Encrypted? Did they mean hashed?
eBay bends over backwards to make it easy for buyers, even at the expense of security. And they are always slow with notices to users, again especially on security matters. … ah for the good old days
Seriously? Personally, I think eBay and especially PayPal make it easy for sellers, but not for buyers. I avoid them both whenever possible. A new example with the password change: They won’t let you paste something into the password fields. If you use a password manager and passwords like (Y$%FVJKgbui%6vm, (which I do), disabling paste from your password manager makes it quite a hassle to change the password.
Hmm!? I haven’t noticed that with my password manager!? Many times, when I’ve run into trouble like that, I found that using a different browser until my favorite one updates, solves the problem. One can always put pressure on the company providing the manager too.
+1
I use a password manager too & was unable to copy/paste my new pw into eBay’s form. (I use Safari on a Mac)
Ebay says “the information compromised included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth.”
So, as well as changing your password, you might as well change your name, your email, your physical address where you live, your phone number, and your date of birth. Change it all. Really how much worse can this get.
while it sounds absurd to change some of those things, if you were using a unique disposable forwarding email address for ebay then it wouldn’t be that big a deal to change it – plus there are other benefits to doing so (makes it really hard for phishers to send you convincing ebay phishing emails if they don’t know the shared secret email address you set up for ebay communication).
Wow, what a bunch of rip-off artists! My token cost me $5 back in the day. Now they want $29.95? I would think that if eBay and PayPal really gave a **** about their customers’ security, they would still be offering these security devices for $5.00.
In a single year, I spend at least $5000 buying on eBay. In the olden days, I was a seller, for a decade, and I also worked for a larger eBay seller. My point is that loyal customers, buyers and sellers, generate an extreme profit margin for eBay, and they really shouldn’t be charging $29.95 for a security key when it used to cost $5.00.
Geez $5 now $29.95 guess we know what eBay values more. Wished the heck they would allow Google Authenticator like the other services I use does. Imagine if we had to carry around a key fob for each service that offered 2 factor authentication rather than using Google Authenticator.
Um – probably because they are direct competitors – what with Google pushing their Google Wallet service; you suppose?
Microsoft allow users to use two-factor authentication for free, and that’s on free accounts. So why Ebay and Paypal are charging their paying customers for 2FA is beyond me.
Also, with Microsoft 2FA all you need is a phone. No stupid fobs or apps, just a phone to receive the one-time codes (landline or mobile, it doesn’t matter) . Simple and effective.
If PayPal/Ebay want to get serious about security, they should make 2FA free and easy to use for their customers.
You can use a soft token on your tablet or smartphone at no cost. https://m.vip.symantec.com/home.v
Thanks Andrew for the m.vip.symantec.com address. That led me to getting the Symantec VIP Access app in the app store on my iPhone.
That may not work with Windows 8.1 or 8.1 Update 1.
My employer’s parent company uses the corporate version of that and it won’t work with Windows 8.1 or 8.1 Update 1.
as above, you can add a PayPal hard-token or VIP soft token to your eBay account here:
https://scgi.ebay.com/ws/eBayISAPI.dll?ActivateSecurityToken&guest=1
since ebay apparently limits password length to 20 characters, it’s a safe bet that when they say the passwords were encrypted they really mean encrypted, not hashed.
if the password were hashed there would be no need for a length limit since all hashes for a given hash algorithm have the same length.
so much for making your new ebay password a good one.
It could be a hash, just that the password entries they will accept are limited to 20. 20 is a good number.
the presence of a maximum size limit on the password suggests that longer passwords would cause some kind of problem – the most obvious being not fitting in the finite space they have available to store it. this would never happen if they hashed the passwords.
there’s no reason to limit the size of the password if they hash passwords. the hash of a 20 character password is as long as the hash of a 20,000 character password for any given hash function.
I just donated because whenever there is a crisis Brian is right on top of it. Thanks SOooooooooo Much. Please everyone… if you find value in this website please click the DONATE button and show Brian some gratitude.
Just sayin’
+1 (every time I get some spare change)
eBay says not a thing on its front page or anywhere else. What we see is a complacent business-as-usual bloated home page which is like an entrance to a virtual bazaar. It states nothing about its slipshod public disclosure of valuable personal information which its customers entrusted to eBay IN GOOD FAITH. There is no shortcut to password change.
eBay shows its tacit contempt for its customers. They deserve better but will have to wait while eBay emerges from being in denial.
Thank you eBay for making so much money from your trusting customers while being so negligent with the sensitive personal information we entrusted you with, no doubt so that it could be used for marketing purposes. Your arrogance towards us and contempt for us is breathtaking.
I can’t understand where you are coming from to make these allegations….
do you have any facts to back up your statements?
Only what I have read from a continually and rapidly expanding number of sources that I have fairly taken as authoritative. If eBay failed to encrypt or otherwise safeguard my pathetically precious date-of-birth (which cannot be changed), the safe-keeping of which entrusted to eBay, I rest my case.
This scandal is the BIG news of this month.
Excerpts from the tech blog I receive from the highly respected UK daily newspaper The Daily Telegraph say “What’s truly shocking, however, about eBay’s lapse is that while passwords were encrypted, all the other data was not. ” and “What damage there is to its reputation, and what may emerge in the future, remains to be seen. “
For using strong and unique passwords I recommend using a password management software as well. There are lot of those on the market – Sticky Password, Lastpass, Dashlane.. you can choose which suits you the more, but it is important to choose one. Once this happens – once they hack some site – you can just change the one password for this website and you are OK. If you use 1 password for everything, you are in troubles
I use “Password Safe” myself, but any sort of password vault is almost a requirement these days.
I just created a new random and unique password for eBay. And if they somehow crack the old one, it isn’t like it is good for much of anything else.
eBay has always been about profits. Period. Customer security should be a given, eBay charging for a security key amounts to extortion. Reminds me of the “proection” money gangs & organized crime organizations have traditionally charged neighborhood businesses. It doesn’t surprise me that they saw customers willing to pay $5 for a key, got greedy & increased the price but $30?! If I think about it in the terms of racketeering I can almost imagine this security breach as “punishment” to those who aren’t paying eBay for a key… just sayin
Another security clusterfuck from another big web company almost daily now, top tier eBay staff up for sale $25 or best offer!
Ebay Data Sale:
email & password – $
name, address, phone, email, birthdate – $$$$$$
which is worth more? losing your password. or losing all of your basic personal information…. Ebay’s statement and the news headlines elsewhere (ex: change your ebay password) make it seem like it’s only a stolen password situation – while barely mentioning the more serious loss of more important personal information which will be the basis for a lot of ongoing ID theft.
Brian,
Are they actually going after ebay passwords? I would think that the real gold mine is the other personal information that can be used to reset paypal (or other accounts.)
How valuable would a database be if it were loaded with real names, addresses, mother’s maiden name, your first pet’s name, your first elementary school, etc… static information that the vast majority won’t go back and change (out of fear that they won’t remember what they change the falsified data to.)
So here am I on a typically glorious summer day in Wigan but something is wrong. I will now be spending the rest of my life anxiously waiting for a knock on the door to be told that a crime has been committed in my name and the FBI want to extradite me. Those nice people at eBay let my unencrypted personal particulars out into the wild and who knows what mischief I will be accused of when some criminal uses my details from his list, supplied courtesy of eBay.
I changed my pswd today. I only noticed a message related to the breach on the screen AFTER I had initiated the password change.
It is odd that they call it “password reset” rather than “password change”. In my world, “reset” means a CSR changes it to some temp value and you have to login within a reasonable time to change it to a different value. Confusing.
Regarding two-factor tokens, I would get the physical token but not for $29.95. I use them at work. I have implemented the software tokens on phones (like Google Authenticator) but I don’t always have my phone with me.
They should use RSA Adaptive Auth or similar and look for behavioral differences at login time (different time, IP addr/location, device footprint, better challenge questions, etc.).
Heard about this on the news last night, and made a point of changing my pw (which is stored by LastPass somewhere in the cloud) immediately. Guess this is a going to be recurring theme in our brave new online world.
I’m glad Paypal wasn’t effected. They don’t let you use the paste functions for passwords from Keepass. I tend to use long complicated passwords from Keepass’s random generator which are difficult to retype. Disabling copy/paste has security advantages, but results in changing passwords often difficult. Easily changing passwords fast is the best prevention.
Seems like there already trying to sell the accounts.
take a peak at http://pastebin.com/vmvjGw3N
This is fake, and merely an attempt to steal bitcoins. If you download the sample at that link, and then start trying to sign up with those email addresses at eBay, you will find that few if any of them are tied to existing accounts. eBay does not allow multiple accounts to be tied to one email address.
Good call on that.
Could you explain how they can steal bitcoins? Is it some kind of a flaw in the bitcoin system? Or are you saying that a transaction happens, you pay in bitcoin and then you discover that you have been sold a lemon? Thanks.
Sorry if I was unclear: It’s a scam to trick you into paying bitcoins for something worthless. There’s no flaw involved (except maybe in human reasoning on the buyer’s part).
Last night, I went to ebay.com, selected customer support, selected the change password link, and at 9:21 PM EST, I got an email from ebay with a link that I used to change my password. After changing I was asked to sign in again with my new password, which I did. At 9:24 PM EST, I got a password confirmation from ebay.
Then beginning at 6:58 AM EST, I got 4 reset password emails that looked identical to the one from ebay at 9:21 PM. I called customer support; they could not explain it, but said the emails were not from ebay. I forwarded the emails to spoof@ebay.com. They quickly replied that they were phishing emails and were working to disable the sites. A subsequent careful comparison of the links in the emails showed a very slight difference between last night’s and this morning’s links.
Are the phishing emails just coincidence? (I’m a Mac OSX user.)
After all these years of futzing around with Internet and network security, WHY are we still no farther in our security savvy? I’ve been in network security for 20 years, and the “experts” still seem to lack the basics of common sense security strategies and practices, even in their own personal security practices.
What difference does it make for everyone to rush to change eBay passwords, when stolen passwords were encrypted? eBay’s notifications to do so are but pacification to their customers and the media, a cover-yer-ass pill.
The valuable stolen information was NOT encrypted — the personal information stolen is worth fortunes! By getting their hands on the personal stored information the criminals now can easily set up all kinds of accounts from the stolen ID information, and those accounts are far more revenue prolific!
Stolen IDs are the ugliest form of crime. The onus of ID proof and debt incurred falls on the victim. These cases often take years to settle! It ruins the victim’s life!
It’s not the same as a fraudulent charge on an existing credit card or funds taken from an existing bank account. Stolen personal information allows the criminal to set up NEW accounts in the victim’s name and exploit those accounts rapidly. The mounting debt is terrifying! New accounts pop up anywhere and everywhere using the stolen ID information. I’m far more worried about what someone will do with my personal information.
Security is dealing with humans, NOT technology!
I don’t know Reggie, do you suppose it matters anymore? I sure the crooks were smart enough to aggregate all this data into a hugh Excel or Access data base(or what ever), and it will never leave the internet, until you move, and change your phone number! The numbers of persons are so huge, that even the crooks have trouble doing it all. God forbid they invent an algorithm or data base analyzer, that gleans even more ‘profit’ from their ill gotten gains.