Re: no indication of INCREASED fraudulent account activity on eBay
So, if there was no evidence of fraudulent account activity, how did they know they'd been hacked?
This is actually quite an interesting incident and any comment must involve a certain amount of reading between lines. The truth is undoubtedly out there but getting to it may present a challenge. But a bit of speculation seems in order...
So then - if the intrusion happened a couple of months back and it was only detected weeks ago, we have two possibilities - either eBay are truly incompetent to the point of recklessness, or this was a fairly stealthy attack by someone who was actually rather good at this sort of thing. If the latter is true, then my best guess would be some sort of spear-phishing directed at system admin type folks. A bit of homework scanning through LinkedIn would probably produce enough information to send a plausible email containing some sort of zero day attack either as an attachment (old hat) or a link back to a compromised site. Job done, start extracting information and loading up the root kits or whatever.
No conventional security tools are likely to detect this if done well.
At this point, my sympathies are with eBay. Briefly.
However, whatever protection they had over encrypted/hashed passwords was obviously woefully inadequate, assuming of course that passwords were compromised rather than 'might have been' compromised.
Which leads to epic fail on communications. Keeping your mouth shut for a couple of weeks is understandable - get the forensics folks in and crawling all over your logs etc and understand the extent of the problem before you go public is perfectly reasonable.
But - that period should give you enough breathing space to produce a coherent and sensible communications strategy. One that does not consist of vague advice to change your password. Why the hell couldnt some one have written a script to enforce password change at next logon? Not rocket science.
Bad security controls and poor incident management. A classic example of a major organisation not taking information security seriously.