Griff (21st May 2014)
You may want to change your password.
Source: Business Wire
eBay Inc. said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data. After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.
Information security and customer data protection are of paramount importance to eBay Inc., and eBay regrets any inconvenience or concern that this password reset may cause our customers. We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace.
Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.
The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.
The company said it has seen no indication of increased fraudulent account activity on eBay. The company also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.
Beginning later today, eBay users will be notified via email, site communications and other marketing channels to change their password. In addition to asking users to change their eBay password, the company said it also is encouraging any eBay user who utilized the same password on other sites to change those passwords, too. The same password should never be used across multiple sites or accounts.
"However, the database did not contain financial information or other confidential personal information."
No, only my full name, date of birth and full home address. There's nothing can be done with that
Another appropriate time to point out how marvellous https://lastpass.com/ is.
Wonderful.. bit embarrassing for them then.
Just changed mine! another lastpass user here very useful
Lastpass never heard of it...just watched the video...I want to be like bob.
I use Keepass.. Same sort of program, I assume. I'll be changing mine when I get home. The 'Auto-type' function is awesome. I don't even need to know what my passwords are.
Also has the advantage of meaning I can't get on eBay/etc and buy stuff when I'm not on my home PC, which is nice. Not that I actually have a problem with that.
Last edited by Garacesh; 21st May 2014 at 03:07 PM.
They didn't say when they discovered the breach.
Does anyone know is this is "we've just noticed and are telling you now" or "we sat on the information for nearly two months and then decided to tell you"?
Agreed, password managers are the way to go these days. I'm a heavy Lastpass user with 2FA built in. $12 a year is nothing.
Data leaked late Feb early March...
eBay Inc. To Ask eBay Users To Change Passwords | ebay inc
I just have Keepass on my machine at home. Google is synched to my phone, as it's an Android, and most of the other sites I use aren't really work sites anyway.. Reddit, Facebook, eBay, PayPal, etc. I've pretty much changed up everything since the HeartBleed bug, even sites that purportedly weren't affected.
Last edited by Garacesh; 21st May 2014 at 03:35 PM.
"The company said that the compromised employee log-in credentials were first detected about two weeks ago."
So they've sat on it for a fortnight, with it going unnoticed for two months before that.
As the BBC News story mentions, the real danger is that the personal information that was compromised can be used on password reset forms elsewhere. Luckily my eBay username is different from every other site - only because my usual choice was already taken when I signed up back in the day.
pete (21st May 2014)
Dammit, I read the BBC article (which didn't mention the when), rather than RTFA linked from BusinessWire.
local-only encryption. I've got mine set up with 2FA using Google Authenticator as well.
HeartBleed: LastPass updated overnight to tell you not only which websites had been compromised, but also which ones hadn't updated yet, and therefore weren't worth changing your password on yet.
There are currently 1 users browsing this thread. (0 members and 1 guests)