back to article EBay, you keep using the word 'SECURITY'. I do not think it means what you think it means

eBay‬ has told people to change their passwords for the online tat bazaar after its customer database was compromised. Names, dates of birth, phone numbers, physical addresses, email addresses, and "encrypted" passwords, were copied from servers by attackers, we're told. Credit card numbers and other financial records were not …

COMMENTS

This topic is closed for new posts.

Page:

  1. Truth4u

    "eBay has reset everyone's passwords as a precaution"

    I just logged in with my original password and it didn't ask me to change it.

    1. Slartybardfast

      Re: "eBay has reset everyone's passwords as a precaution"

      Likewise.

      Is this just ebay.com, or is ebay.co.uk etc affected as well?

      1. The Man Who Fell To Earth Silver badge
        FAIL

        I think not

        Seems not. I just logged into eBay.com with my old password. Also, the claim that eBay has notified users is false as well. I've not received any email from them, nor any message on the eBay internal messaging system.

        1. Psyx

          Re: I think not

          " Also, the claim that eBay has notified users is false as well."

          No it's not, because *I* was notified.

          So it just seems they haven't notified ALL users.

          However, it wasn't well communicated. I received a missive informing me that MY account had been hacked. Rather than fessing up and saying WE have been hacked.

          So...where's the class action suit for failure of data protection...?

    2. John H Woods Silver badge

      Re: "eBay has reset everyone's passwords as a precaution"

      me too. Is this an ebay.com vs ebay.co.uk difference?

    3. madmalc

      Re: "eBay has reset everyone's passwords as a precaution"

      Me too (.co.uk)

    4. diodesign (Written by Reg staff) Silver badge

      Re: "eBay has reset everyone's passwords as a precaution"

      I jumped the gun in the edit - eBay actually said: "eBay users will be notified via email, site communications and other marketing channels to change their password."

      So you'll have to do it yourself. If you spot something wrong in an article, drop us a line to corrections@thereg so we can fix stuff straight away.

      C.

      1. AaronG

        Re: "eBay has reset everyone's passwords as a precaution"

        Now should I email corrections@theregister.co.uk to say the email address to email corrections to isn't corrections@thereg?

      2. Anonymous Coward
        Anonymous Coward

        Re: "eBay has reset everyone's passwords as a precaution"

        and I've not been "notified" by any of those means. Which either means the info is wrong, or only the small number of users affected will be "notified".

    5. Pork Chop Express

      Re: "eBay has reset everyone's passwords as a precaution"

      I was not prompted to change my password on .com or .co.uk.

  2. Anonymous Coward
    Anonymous Coward

    Quick!

    The database was compromised 2 months ago, login and change your passwords now??? Fail. Why was this message not released earlier?

    1. Alister Silver badge

      Re: Quick!

      Why was this message not released earlier?

      Because they only just found out?

      1. Anonymous Coward
        Anonymous Coward

        Re: Quick!

        Just found out...two weeks ago.

        1. Destroy All Monsters Silver badge
          Trollface

          Re: Quick!

          There is a sad country music song in there somewhere.

          1. Mpeler

            Re: Quick!

            @Destroy All Monsters "Re: Quick! There is a sad country music song in there somewhere."

            How about "Time Wounds All Heels" ? (Hank Thompson)

            or

            "There's a Tear in My Beer" ? (Hank Williams)

      2. Anonymous Coward
        Meh

        Re: Quick!

        Because, being the grumpy cynic that I am, they wanted to get there "Advertise x number of items for free" campaign under way before driving traffic to their site for their password reset.

        Good old bury the bad news with the "good"

  3. moiety

    Splendid. This is only a few days *after* they tried to link my eBay account to my PayPal account Seems like my "fuck that noise" auto-response was the correct one.

    1. moiety

      You may disapprove, downvoter, but the fact remains that the attempt to link my ebay and paypal accounts so I could pay for stuff without the inconvenience of logging into paypal occurred on the 13th. That is right in the middle of the time between discovering the hack and disclosing it. Also refusing locked my account somehow and I couldn't buy useless shit for two days after the refusal.

      1. Jim 48

        I think some people just down-vote if there is a bit of 'blue' language.

        (And I agree with your 'not linking ebay & paypal' sentiment)

  4. Alan Sharkey

    I am somewhat concerned that my personal information is now released into the wild by sloppy security. Can we sue ebay when someone assumes my identity (yes, half a joke because that's not the UK way - but it is a serious issue which Ebay seem to have minimised.

    And, yes, I logged into the.com site and it did not ask me to change my password.

    1. Steven Raith

      Yup

      "Names, dates of birth, phone numbers, physical addresses"

      Don't need much more to set up a variety of hooky, credit related accounts.

      What a bunch of morons.

      1. Anonymous Coward
        Anonymous Coward

        Re: Yup

        Lucky for me I rarely use my real date of birth for any online site. (Often not even my real physical address, just one I can collect deliveries from).

        Sure, it makes things much more interesting when asked security questions and also breaks the site terms, but it also makes my information much harder to steal.

        Although, my actual credit score is terrible because of this practice (& that I spend beyond my means).

    2. Uffish

      ebay security

      I always thought there was some sort of data protection law in force. Wonder what the penalties are.

      eg Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data

      http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm

      Probably never been ratified because it's 'foreign'.

    3. DropBear Silver badge
      Joke

      "Thank you for changing you password. For added security, please consider also changing your name, date of birth, phone number and physical address as well..."

    4. Tom 13

      Re: my personal information is now released into the wild

      Yes, that would be my only concern. Not sure if I have an account with them. If I do it is more than 10 years old and I haven't used it since I created it. Not sure I'd recall what the password is if I tried. Pretty sure it was attached to an ISP email account that I couldn't get a password reset on because of merger magic. So at least as far as I'm concerned the only thing there they could steal is my identity.

  5. Anonymous Coward
    Windows

    Sigh...

    Here we go again. Shoddy security and poorly trained staff coupled with plaintext details stored on an (apparently) easy to access back end.....

    Companies like this should have the arse fined off them to demonstrate that its not acceptable in this day and age...

    At least in my case they have no genuine details but that is only by good sense on my part.

    Still, no emails asking me to change my false details for more false ones and no word on the level of encryption used. These days, your personal details are worth more than financial ones...

    1. Anonymous Coward
      Anonymous Coward

      Re: Sigh...

      False Details? It's pretty hard to buy stuff off e-bay with false details, the goods have to be delivered somewhere.

      Or do you rent a small studio apartment in Scotland to receive all goods purchased online, with a burner phone number and a pre-pay top up credit card?

      1. Anonymous Coward
        Anonymous Coward

        Re: Sigh...

        Yes, they do, to the registered address on my PAYPAL account!!!!!

        Not to the false one listed on my ebay account!!!!!

        1. Anonymous Coward
          Anonymous Coward

          Re: Sigh...

          "Yes, they do, to the registered address on my PAYPAL account!!!!!

          Not to the false one listed on my ebay account!!!!!"

          Do you realise that Paypal and Ebay are the same company? If Paypal have your address, then so do Ebay.

          Nice use of exclamation marks - you seriously wanted to exclaim that post.

          1. Anonymous Coward
            Anonymous Coward

            Re: Sigh...

            "Nice use of exclamation marks - you seriously wanted to exclaim that post."

            Yes, i did because its a good idea and has all but ensured my personal details are still relatively safe from prying eyes.

          2. Anonymous Coward
            Anonymous Coward

            Do you realise that Paypal and Ebay are the same company?

            Do you realise that the details are stored on totally seperated systems and Paypal have publicly stated that none of the details on THEIR servers have been affected?!?

            Nice display of utter ignorance there. No wonder you decided to post anonomously...

            1. Anonymous Coward
              Anonymous Coward

              Re: Do you realise that Paypal and Ebay are the same company?

              "Do you realise that the details are stored on totally seperated systems and Paypal have publicly stated that none of the details on THEIR servers have been affected?!?"

              \right, so you are a psychic who predicted it would be ebay that would be hacked and not paypal. You hadn't mentioned your special abilities before, impressive.

        2. tim 13

          Re: Sigh...

          You do realise that if someone send your items to your fake eBay registered address then you have no comeback?

          1. Anonymous Coward
            Anonymous Coward

            Re: Sigh...

            Good god, the thickness is strong in a lot of folks today.

            This is my fake ebay address.

            01 DO NOT USE THIS

            ADDRESS.

            USE THE PAYPAL ONE

            DN11 3RT

            Anyone whom thinks that that is a real address is about as much as a numbnuts as the commen(re)tards who downvoted my post without first actually thinking about it.

      2. AJ MacLeod

        Re: Sigh...

        No point in doing that, you'd end up having to pay all the ridiculous delivery surcharges...

    2. big_D Silver badge
      Facepalm

      Re: Sigh...

      Also sounds like they don't know the difference between hashing and encrypting - most sites hash passwords (with a salt), so they cannot be "unencrypted". I would assume, if they are storing the important personal information in plain text, that they aren't encrypting the passwords, but simply hashing them - if the rest of the fiasco is anythong to go by, probably MD5 with no salt. :-P

  6. Anonymous Coward
    Anonymous Coward

    Tried to change password ..

    .. couldn't find the option anywhere

    Total FAIL

    1. moiety

      Re: Tried to change password ..

      It's in the "Hi $User" bit at the top left. Click on it, then go for "Account Settings"; then "Personal Information" Took me a while to find it too.

    2. DaveyDaveDave

      Agreed

      Yeah, that is a bit of a fail, but good on you for owning up to it. My Account > Personal Settings > Edit Password, from memory of finding it myself in about 30 seconds earlier today...

      1. Martin-73 Silver badge

        Re: Agreed

        The fact the 'my account' pulls up the financial account is the kicker there. It will make people who don't look CAREFULLY assume (wrongly) that they're in the incorrect section of ebay. It's a poor bit of design by FleaBuy

        1. Destroy All Monsters Silver badge
          Trollface

          Re: Agreed

          Well, even the IEEE doesn't into getting that "passwords" usability right, so why should ewwbay and failpal?

    3. This post has been deleted by its author

    4. phuzz Silver badge
      FAIL

      Re: Tried to change password ..

      And for your next challenge, try finding the 'Change Password' link on PayPal's site.

      I ended up using the help system in the end, only to find that their help system was offline.

      (it's in My Account > Profile > My Details).

      Also, why do both PayPal and eBay have a 20 character limit on passwords?

      1. Credas Silver badge

        Re: Tried to change password ..

        "Also, why do both PayPal and eBay have a 20 character limit on passwords?"

        And why do PayPal, at least, prevent copy-and-pasting into the password box, thus ensuring that you can't use a password manager and strong unique passwords?

        1. Tony Quinn

          Re: Tried to change password ..

          PayPal doesn't - I've just tried it and the old Ctrl-C/Ctrl-V trick works just fine!

          1. localzuk

            Re: Tried to change password ..

            The 20 character limit is worrying. It screams "flawed reversible encryption" rather than salted hashes for passwords.

            1. Bah Humbug

              Re: Tried to change password ..

              Not only is there a twenty char limit, they don't allow spaces in passwords either - so much for my normal practice of using a sentence for a password.

        2. Wild Bill

          Re: Can't paste in password

          I just found this with ebay's password reset functionality. Ridiculous. To make it worse the form requires JS to work (great design there), so can't disable it to allow the pasting.

          In the end I had to use firebug to edit the input's value to paste in my actually secure password rather than just using my cat's name. It's like they want people to use rubbish passwords!

      2. My Coat
        Happy

        Re: Tried to change password ..

        I found the close account option quicker than the change password option - so used that approach instead.

    5. Cripes Chief!

      Re: Tried to change password ..

      It's not obvious, click on the arrow next to your profile name in top left corner and select Personal details. It is then list as an option in the next screen.

      But like others have said, although I changed my PW my old one was working fine

Page:

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019