21
May 14

eBay Urges Password Changes After Breach

eBay is asking users to pick new passwords following a data breach earlier this year that exposed the personal information of an untold number of the auction giant’s 145 million customers.

eBayIn a blog post published this morning, eBay said it had “no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.”

Assisted by federal investigators, eBay determined that the intrusion happened in late February and early march, after a “small number of employee log-in credentials” that allowed attackers access to eBay’s corporate network were compromised. The company said the information compromised included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. eBay also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users.

The company said it will begin pushing out emails today asking customers to change their passwords. eBay has not said what type of encryption it used to protect customer passwords, but it previous breaches are any indication, the attackers are probably hard at work trying to crack them.

If you’re an eBay user, don’t wait for the email; change your password now, and make it a good one. Most importantly, don’t re-use your eBay or PayPal password elsewhere. If you did that prior to today, it’s a good idea to change that password to something unique at the other sites that shared it. And be extra wary of phishing emails that spoof eBay and PayPal and ask you to click on some link or download some security tool; attackers are likely to capitalize on this incident to spread malware and to hijack accounts.

eBay and PayPal users who haven’t already done so should consider using the PayPal Security Key, a two-factor authentication solution that can be used to add for additional security on both sites.

Tags: , ,

123 comments

  1. really wondering about the bad guys stealing EVERY ebay users’ information (name, address, phone, email, birthday) versus just only a “LARGE PART” of users. one Reuter’s article says: “They then accessed a database containing all user records and copied ‘a large part’ of those credentials.”

    http://www.reuters.com/article/2014/05/22/us-ebay-password-questions-idUSBREA4L0SH20140522

    Yes, they accessed, but only copied a “large part.” how “large” was that?

    (of course, after whatever further forensic fumbling around they are doing, they may say they copied the whole thing….)

    • Who’s details are on that large part? Will eBay have the honesty to say. Not yet apparently. It’s still deeply in denial.

    • I really can’t stand stories from mainstream media outlets that don’t even apply basic investigation skills available to anyone. This list is fake, and an attempt to separate unwary idiots from their bitcoins. See my previous comment for an explanation of why.

  2. I’m less worried about my password – that can be changed no problem. But its a lot harder to change the rest of the info, like name, physical address, phone number and date of birth. I realize that this is pretty much public domain stuff, but the public doesn’t get to see the correlation to the online profile. To have the real-world stuff linked to an ebay account and email address and have that in the hands these attackers is disconcerting. They’ve proven that they are willing to break the law, impersonate someone for financial gain, and are good at doing so. Thanks a lot, ebay.

  3. Somewhat related, what bothers me lately more than the breaches is no obligation to do the right thing.

    Here’s one instance where I want some government. Why shouldn’t an institution be required to disclose breaches within a certain amount of time? Or at all?

    So frustrating to get a notice from a bank, saying there was a possible problem (read: there was one), with a vendor and they reissue a card. They never reveal who the vendor was. I think this should also be a requirement.

    • +1!! (Can I add more than 1?)

      This is where ‘self-regulation’ or ‘self-policing’ shows it’s inherent flaws. Companies have no moral compass (obviously neither do their executives) & “doing the right thing” is not in the best interests of the company. Arguments for self-regulation are quite often a misdirection by lobbyists for cost savings, reduced responsibilities (ie: cost savings) etc so the money ca be redirected into executive salaries. Am I cynical? Yes. Is it justified? YES!

  4. My paypal info was compromised, because I had close to $800.00 spent out of my checking account @ online stores. I only ever had given financial info online when I signed up for paypal in 2008. This is the 3rd time in the last 2 years this has happened to me. Those People need to get a real job, and do real work for a living instead of stealing someone elses hard working money. They are all lazy, and want an easy life for doing nothing but stealing and being cheats all there life. Pathetic.

    • That is why when people want to use PayPal I tell them to attach a credit card to the account or simply use a credit card and then remove it from their PayPal account. Otherwise use a separate chequing account that has a limit amount of $ in it. That also prevents PayPal from freezing your main chequing account in the case of a dispute.

  5. So, I changed my ebay acct pwd. Haven’t used it in 6+ months. Contact info is incorrect (old ph# from a job long gone). CC# expired and paypal not even linked.

    Ebay uses a pathetic pwd algorithm check. Fails you if you use spaces. I had non-repeat, alpha-numeric, symbol and cases at 30 minimum characters and it said it was weak! It was generated by…1Password (agilebits) and *still* said weak or had white spaces. WTF?
    So in frustration, I tried to close the account. Heck, eBay gouges most with fees, and buyers seem to get the upperhand even when (as a seller) the item is good and sold as stated.
    Well, go try to close a “standard” account. Nope. Said I was restricted or suspended (my account status is good, standard..)
    I have screen shots of the painful experience. And in the end, you need to call with a “code”. Over 20 minute hold… eff that. I want to read Krebs…
    Ebay needs to become the next Target with loss of stock, CEO and CIO heads rolling out and complete profit loss. eBay is deadbay.

    • I know what you mean eddie ski, my buddy who was doing business on there, just flat had to stop doing it because of the unfriendly business practices for folks trying to make a living.. It is okay for people cleaning out their garages, I suppose, but as a buyer, I have good luck on there.

  6. FYI, if anyone is interested, there’s a CNET article from January 11th, 2007 with an explanation of the $5 fee for the PayPal security key. For customers with a business PayPal account, the device was offered free of charge.

    (I just like to back up my claims with factual proof, even though nobody challenged my credibility when I said the key fob originally cost users only $5.)

    • Paypal and eBay charges for the physical device, but you can download an app (VIP Access) which replicates the functionality at no charge.

  7. EbaySoWeakEncryption

    http://www.fool.com/investing/general/2014/05/22/ebay-data-breach-the-inexcusable-impact-on-233-mil.aspx

    “Companies like eBay need to learn the lesson of The Three Little Pigs — building a house out of cheap straw and sticks (then refusing to switch to readily available bricks) simply invites the big bad wolf to blow it all down.”

  8. Wonder how many ticked-off eBay users are now trying out some form of password like “eBaySux1!”

  9. I sold a boat on eBay a couple days ago and changed my password at that time because I now use Dashlane password manager. I hope it works, and I am really ticked off that eBay had nothing on this breach – no onsite message, no email – I had to hear about it here. That’s just wrong.

  10. Is there any interest in putting together a class action against Ebay?

    • I had to cancel four credit cards after using paypal through ebay. There is a breach. After three transactions on ebay with different cards each time the next day I had a charge go through for ( two at 49.95) and one for 50.18 all well fake transactions. One was for fighterbody.com (fake) 49.95 the prior one was beachbody.com (fake 49.95 and another was for 50.18 some unknown mexican company. I am livid. I would really like to sue.

  11. EbayNotSecure

    ebay put a notice on it’s front page: http://www.ebay.com/reset

    “[blah blah blah]…. Meanwhile, our team is committed to making eBay as safe and secure as possible. We are looking at other ways to strengthen security on eBay. In the coming days and weeks we may be introducing new security features….”

    maybe easier 2FA like via sms text – instead of buying a dongle thingie or using the symantec app. although the symantec app is easy to use, would personally want to instead use a different authenticator app or be able to use text to get the code.

    • ACcording to eBay’s site, you can use it to get a text

      Security key: You carry this small credit-card sized device with you. It creates a unique security code on the go.
      Mobile phone security key: You can sign up to get security codes sent by text message to your mobile phone.

      • EbayNotSecure

        stupid questions: where does it say this on ebay? and exactly where to set it up for texts? because really want to set it up for only texts. can find all that on paypal but on ebay only see setup with a device (or can use that procedure for the symantec app) but not for texts on a phone.

        • Here. I copied the link directly from my eBay account page. You can find this information under “My Account,” and then go to “Personal Information” and scroll down to the very bottom of the page. Look under the heading “Security Information.”

          Security Information

          To activate a Security Key on your eBay account, go to the Activation page. To activate a Security Key on PayPal, please go to the PayPal Activation page.

          Active Security Key Serial number: XXXXXXXX9999
          Activation date: xxxxxxx

          This is the actual website link to activate a token. Be careful, of course, because I could be any dumbass hacker trying to social engineer my way into your eBay account.
          https://signin.ebay.com/ws/eBayISAPI.dll?ActivateSecurityToken

          • I’m not finding any such thing on my personal info page. I suspect this only works if you linked the two accounts. Mine are not.

          • EbayNotSecure

            jasmine: thanks. already saw all that. have that set up for the symantec vip access app on my mainiphone. BUT REALLY WANT TO KNOW IF AND HOW TO DO THIS WITH SMS TEXT. particularly if you want to get the SMS TEXT on a backup cell phone that happens to be a dumb feature phone. not with an app or a key dongle token device. but with a TEXT that is sent to your phone. as brian writes in his above message where he says “ACcording to eBay’s site, you can use it to get a text”

            this can be done with paypal using either a TEXT or a key device (or an app like the symantec app). but no where on ebay seems to have an actual process to set it up for receiving SMS TEXT. the closest thing to this is if you forget your device and then it calls you at your contact telephone number, that’s not same as a text to your cell and does you no good if your contact phone number is the house phone and if you are not home.

            agh, yeah yeah, just use the app or buy the $25 dongle. but when more people want to do 2fa on ebay, they will want SMS TEXT particularly if they are using dumb feature phones.

      • With regard to your comment
        “Security key: You carry this small credit-card sized device with you. It creates a unique security code on the go.
        Mobile phone security key: You can sign up to get security codes sent by text message to your mobile phone.”

        Most tweeted to me story of the week
        “How I bypassed two-factor authentication on Google Facebook, Yahoo!, LinkedIn, and others.”

        Security Now podcast
        https://www.grc.com/sn/sn-456.htm

        I’m surprise Brian that GRC.com is not included in your blogroll

  12. I’ve never provided any website with my real date of birth.
    Anyone who does is simply foolish.

  13. EBay’s password change process is pretty horrible. You have to change it from a link they send to your email and that page will not allow you to paste in the new password – you have to type it in.

    Let’s say I use a password manager and it comes up with some really awesome password like:

    j*9|G2PGD|NBvfk

    Ebay won’t let me paste that password from my password manager, they insist I type it in, twice, while they show me the *** symbols (because even in my chair at home somebody is always watching)

    This is dumb. The only thing that does is encourage me to use a bad password, one that I can actually type reliably.

    The really dumb part is that they do let you paste it for a regular login, so any “evil scripts will grab it from the clipboard” arguments they might have otherwise claimed are moot.

    Bad ebay.

    • Since I posted my comment above, ebay has evidently removed the script that stops people from pasting in a password.

      Thanks, ebay

  14. Pleased that PayPal offers two-factor authentication via SMS or a purchased device. Would be great if they implemented/allowed the use of e.g. Google Authenticator or Authy as adding a financial cost to security will result in less people using better security.

  15. If you have an Ebay account, CHANGE YOUR PASSWORD RIGHT NOW. Next, verify your shipping address on your account has not changed, because I bought something and it went to a hackers address. If you have linked your Ebay account to your Paypal account, go into Paypal and check the shipping information and change your password in there as well. And, don’t use the same password in Paypal and Ebay. Share this and spread the word.

  16. Regarding hardware token (Symantec credit card sized token device) vs. getting a text message on your cell phone for two factor authentication which method is more secure? I wasn’t sure if Cell phone text messaging is fully encrypted, or if it could be intercepted, so I opted for the card token.

  17. Brian, if this Ebay attack did not happen, or at least did not get all of the information that is said to be stolen (name, address, phone, birthdate, email, etc.), how difficult or easy would it be to otherwise LEGALLY get most or all of this information??? Maybe you can do an article on this as a comparison and also to provide a different perspective on how much data is out there obtained legally versus illegally.

    My scary thought is that a lot of this info can be obtained without extreme difficulty but maybe still having to pay a large amount of money. such as by obtaining registered voters data, specific demographics info, census data, commercial mailing lists, etc. ???

  18. Thanks for the info on PayPal offering two-factor authentication. I was unaware of that and will be adding it to my account, I don’t do much with Ebay these days but use it a lot with crowdfunding sites.

  19. Marc Balardelle

    I am new to this and I hope that if anything is inappropriate this post will be discarded, but I really feel bad about this.

    Nobody is perfect, and risk management is a recognition of not being able to score perfect, but I wonder if the mailing, today, of a customer success story by a major security firm does not show some lack of empathy in a major security crisis. One can’t help to question the timeliness in the mailing pointing to such a video :
    http://bcove.me/2ljo7d9d. (I wonder how long this will remain available.)

    I double checked and triple checked, yes their customer success story was about how they secured eBay. And they mentioned how they were also protecting them from data loss!

    Again, I know there is no such thing as perfect security, but I can’t help from feeling some cynicism. This situation seems too much out of touch that I am wondering whether I am wrong to have those feelings.

  20. Not eBay, Avast….
    “The AVAST forum is currently offline and will remain so for a brief period. It was hacked over this past weekend and user nicknames, user names, email addresses and hashed (one-way encrypted) passwords were compromised. Even though the passwords were hashed, it could be possible for a sophisticated thief to derive many of the passwords. If you use the same password and user names to log into any other sites, please change those passwords immediately. Once our forum is back online, all users will be required to set new passwords as the compromised passwords will no longer work.

    This issue only affects our community-support forum. No payment, license, or financial systems or other data were compromised.

    We are now rebuilding the forum and moving it to a different software platform. When it returns, it will be faster and more secure. This forum for many years has been hosted on a third-party software platform and how the attacker breached the forum is not yet known. However, we do believe that the attack just occurred and we detected it essentially immediately.

    We realize that it is serious to have these usernames stolen and regret the concern and inconvenience it causes you. However, this is an isolated third-party system and your sensitive data remains secure.

    All the best,

    Ondrej Vlcek
    COO AVAST Software”

    • Yup I got that email too. Haven’t used AVAST since I switched to Mac & I’m shocked they still had my email. How embarrassing that an Anti-Virus co got themselves hacked…

  21. I realized tonight that I’ve had a huge increase in the amount of spam email “advertisements” sent to my main email account. I went through my sent items, because in addition to flagging them as spam I forward them to my provider’s missed spam account, and I’ve had 30 spam emails since mid-March! I used to get maybe 2 or 3 a month. Coincidence that this started around the time of the eBay breach? I doubt it. I’m quite careful about giving out my main email account. Grrrr.

    Also, I learned about this breach from a Toronto Star email alert – FIVE DAYS before I finally got an email from eBay. #epicfail

  22. @Izzy – Yeah, I get much more junk mail now. It seems that any company with any reservations about selling our data has lost them. I bought a new domain on GoDaddy a couple days ago and had 3 companies email me literally within hours offering to build a website. My info was sold to spammers before I could actually do anything with the site.

  23. Well, seems the eBay theft also is making iPhone users (icloud account holders) lifes hell.
    There is a 20+ thread on Apple support that folks in Australia, NZ and now US, may have had same pwd for their ebay and icould accts.
    Now they are locked out of their phones…and ransomed.

    http://www.macissues.com/2014/05/27/ios-ransom-hack-spreading-to-us/

    • Wow! That is Scary! So if I read that right iCloud users should back-up to itunes/chg their iCloud pw/& def NOT pay a ransom if they discover an attempt. (All of which we should be doing on a reg basis anyway) BUT still super scary to me!

  24. I Just had to reset my password and straight after this was told my account had been suspended, I have not sold items on ebay for quite a while only bought so i dont know why this has happened i then emailed then querying this and was asked to provide them with a Copy of the front & Back of my drivers licence and a Credit card / bank statement with details on there i havent yet done this as i have found it quite sus they are asking for this after everything that has happened any one else had this issue or have any suggestions as to what to do ?

    • So you’re saying eBay is requesting this? This does not sound kosher at all! You may have responded to a poser through you email, and are now being redirected to this poser site! I could be wrong, but I’ve never had to deal with eBay in such a way; so my radar is going off at this question.

      Just to be sure – maybe you should use another device or computer that is unlikely to be compromised, and type eBay’s address directly into the address bar, and not by favorite, hyperlink, email link, or search engine, to make sure you are on the actual site, and reiterate what you just told us, to see how to mitigate this problem. You should probably contact PayPal by phone and see what they think of this issue as well. Although PayPal is supposedly completely separated from eBay, they are business partners and would probably help you with any issues related to this event.

  25. Got another notice from eBay to change my password, which I already did.

    • Lisa – I wrote several days ago that after successfully changing my ebay password, I got more emails telling me to change it. I reported them to abuse@ebay.com and they quickly responded that the subsequent emails I received were phishing — and that they were working to shut down those websites.

      I carefully compared the initial (legitimate) change password that ebay sent me to those I later received and found that the long link was slightly different.

      Send the email you received to abuse@ebay.com so they can continue shutting down the phishing websites.

      -Martha

    • Oops. The email to ebay should be sent to spoof@ebay.com, NOT abuse@ebay.com.

      • Thx Martha. I have forwarded the last email to spoof@ebay.com as a precaution even though the email directed me to go to eBay’s website but did not actually contain any links.

  26. Not only do you NEED to change you ebay pwd, but the email account associated with it. And never use the same pwd twice.
    I just received notification on the email account associated with my ebay acct that there were two attempts to change the pwd.
    Anyone want to join in on suing ebay for such lax and poor security…?

  27. I just got 2 Apple ID spoof emails telling me my account was temporarily suspended. The actual source was “service_apppleid@wp.pl.”

    I forwarded it to abuse@apple.com. If anyone knows a better address for sending phishing emails to Apple, please let me know.