back to article EBay, you keep using the word 'SECURITY'. I do not think it means what you think it means

eBay‬ has told people to change their passwords for the online tat bazaar after its customer database was compromised. Names, dates of birth, phone numbers, physical addresses, email addresses, and "encrypted" passwords, were copied from servers by attackers, we're told. Credit card numbers and other financial records were not …

COMMENTS

This topic is closed for new posts.
  1. Truth4u

    "eBay has reset everyone's passwords as a precaution"

    I just logged in with my original password and it didn't ask me to change it.

    1. Slartybardfast

      Re: "eBay has reset everyone's passwords as a precaution"

      Likewise.

      Is this just ebay.com, or is ebay.co.uk etc affected as well?

      1. The Man Who Fell To Earth Silver badge
        FAIL

        I think not

        Seems not. I just logged into eBay.com with my old password. Also, the claim that eBay has notified users is false as well. I've not received any email from them, nor any message on the eBay internal messaging system.

        1. Psyx

          Re: I think not

          " Also, the claim that eBay has notified users is false as well."

          No it's not, because *I* was notified.

          So it just seems they haven't notified ALL users.

          However, it wasn't well communicated. I received a missive informing me that MY account had been hacked. Rather than fessing up and saying WE have been hacked.

          So...where's the class action suit for failure of data protection...?

    2. John H Woods Silver badge

      Re: "eBay has reset everyone's passwords as a precaution"

      me too. Is this an ebay.com vs ebay.co.uk difference?

    3. madmalc

      Re: "eBay has reset everyone's passwords as a precaution"

      Me too (.co.uk)

    4. diodesign (Written by Reg staff) Silver badge

      Re: "eBay has reset everyone's passwords as a precaution"

      I jumped the gun in the edit - eBay actually said: "eBay users will be notified via email, site communications and other marketing channels to change their password."

      So you'll have to do it yourself. If you spot something wrong in an article, drop us a line to corrections@thereg so we can fix stuff straight away.

      C.

      1. AaronG

        Re: "eBay has reset everyone's passwords as a precaution"

        Now should I email corrections@theregister.co.uk to say the email address to email corrections to isn't corrections@thereg?

      2. Anonymous Coward
        Anonymous Coward

        Re: "eBay has reset everyone's passwords as a precaution"

        and I've not been "notified" by any of those means. Which either means the info is wrong, or only the small number of users affected will be "notified".

    5. Pork Chop Express

      Re: "eBay has reset everyone's passwords as a precaution"

      I was not prompted to change my password on .com or .co.uk.

  2. Anonymous Coward
    Anonymous Coward

    Quick!

    The database was compromised 2 months ago, login and change your passwords now??? Fail. Why was this message not released earlier?

    1. Alister Silver badge

      Re: Quick!

      Why was this message not released earlier?

      Because they only just found out?

      1. Anonymous Coward
        Anonymous Coward

        Re: Quick!

        Just found out...two weeks ago.

        1. Destroy All Monsters Silver badge
          Trollface

          Re: Quick!

          There is a sad country music song in there somewhere.

          1. Mpeler

            Re: Quick!

            @Destroy All Monsters "Re: Quick! There is a sad country music song in there somewhere."

            How about "Time Wounds All Heels" ? (Hank Thompson)

            or

            "There's a Tear in My Beer" ? (Hank Williams)

      2. Anonymous Coward
        Meh

        Re: Quick!

        Because, being the grumpy cynic that I am, they wanted to get there "Advertise x number of items for free" campaign under way before driving traffic to their site for their password reset.

        Good old bury the bad news with the "good"

  3. moiety

    Splendid. This is only a few days *after* they tried to link my eBay account to my PayPal account Seems like my "fuck that noise" auto-response was the correct one.

    1. moiety

      You may disapprove, downvoter, but the fact remains that the attempt to link my ebay and paypal accounts so I could pay for stuff without the inconvenience of logging into paypal occurred on the 13th. That is right in the middle of the time between discovering the hack and disclosing it. Also refusing locked my account somehow and I couldn't buy useless shit for two days after the refusal.

      1. Jim 48

        I think some people just down-vote if there is a bit of 'blue' language.

        (And I agree with your 'not linking ebay & paypal' sentiment)

  4. Alan Sharkey

    I am somewhat concerned that my personal information is now released into the wild by sloppy security. Can we sue ebay when someone assumes my identity (yes, half a joke because that's not the UK way - but it is a serious issue which Ebay seem to have minimised.

    And, yes, I logged into the.com site and it did not ask me to change my password.

    1. Steven Raith

      Yup

      "Names, dates of birth, phone numbers, physical addresses"

      Don't need much more to set up a variety of hooky, credit related accounts.

      What a bunch of morons.

      1. Anonymous Coward
        Anonymous Coward

        Re: Yup

        Lucky for me I rarely use my real date of birth for any online site. (Often not even my real physical address, just one I can collect deliveries from).

        Sure, it makes things much more interesting when asked security questions and also breaks the site terms, but it also makes my information much harder to steal.

        Although, my actual credit score is terrible because of this practice (& that I spend beyond my means).

    2. Uffish

      ebay security

      I always thought there was some sort of data protection law in force. Wonder what the penalties are.

      eg Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data

      http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm

      Probably never been ratified because it's 'foreign'.

    3. DropBear Silver badge
      Joke

      "Thank you for changing you password. For added security, please consider also changing your name, date of birth, phone number and physical address as well..."

    4. Tom 13

      Re: my personal information is now released into the wild

      Yes, that would be my only concern. Not sure if I have an account with them. If I do it is more than 10 years old and I haven't used it since I created it. Not sure I'd recall what the password is if I tried. Pretty sure it was attached to an ISP email account that I couldn't get a password reset on because of merger magic. So at least as far as I'm concerned the only thing there they could steal is my identity.

  5. Anonymous Coward
    Windows

    Sigh...

    Here we go again. Shoddy security and poorly trained staff coupled with plaintext details stored on an (apparently) easy to access back end.....

    Companies like this should have the arse fined off them to demonstrate that its not acceptable in this day and age...

    At least in my case they have no genuine details but that is only by good sense on my part.

    Still, no emails asking me to change my false details for more false ones and no word on the level of encryption used. These days, your personal details are worth more than financial ones...

    1. Anonymous Coward
      Anonymous Coward

      Re: Sigh...

      False Details? It's pretty hard to buy stuff off e-bay with false details, the goods have to be delivered somewhere.

      Or do you rent a small studio apartment in Scotland to receive all goods purchased online, with a burner phone number and a pre-pay top up credit card?

      1. Anonymous Coward
        Anonymous Coward

        Re: Sigh...

        Yes, they do, to the registered address on my PAYPAL account!!!!!

        Not to the false one listed on my ebay account!!!!!

        1. Anonymous Coward
          Anonymous Coward

          Re: Sigh...

          "Yes, they do, to the registered address on my PAYPAL account!!!!!

          Not to the false one listed on my ebay account!!!!!"

          Do you realise that Paypal and Ebay are the same company? If Paypal have your address, then so do Ebay.

          Nice use of exclamation marks - you seriously wanted to exclaim that post.

          1. Anonymous Coward
            Anonymous Coward

            Re: Sigh...

            "Nice use of exclamation marks - you seriously wanted to exclaim that post."

            Yes, i did because its a good idea and has all but ensured my personal details are still relatively safe from prying eyes.

          2. Anonymous Coward
            Anonymous Coward

            Do you realise that Paypal and Ebay are the same company?

            Do you realise that the details are stored on totally seperated systems and Paypal have publicly stated that none of the details on THEIR servers have been affected?!?

            Nice display of utter ignorance there. No wonder you decided to post anonomously...

            1. Anonymous Coward
              Anonymous Coward

              Re: Do you realise that Paypal and Ebay are the same company?

              "Do you realise that the details are stored on totally seperated systems and Paypal have publicly stated that none of the details on THEIR servers have been affected?!?"

              \right, so you are a psychic who predicted it would be ebay that would be hacked and not paypal. You hadn't mentioned your special abilities before, impressive.

        2. tim 13

          Re: Sigh...

          You do realise that if someone send your items to your fake eBay registered address then you have no comeback?

          1. Anonymous Coward
            Anonymous Coward

            Re: Sigh...

            Good god, the thickness is strong in a lot of folks today.

            This is my fake ebay address.

            01 DO NOT USE THIS

            ADDRESS.

            USE THE PAYPAL ONE

            DN11 3RT

            Anyone whom thinks that that is a real address is about as much as a numbnuts as the commen(re)tards who downvoted my post without first actually thinking about it.

      2. AJ MacLeod

        Re: Sigh...

        No point in doing that, you'd end up having to pay all the ridiculous delivery surcharges...

    2. big_D Silver badge
      Facepalm

      Re: Sigh...

      Also sounds like they don't know the difference between hashing and encrypting - most sites hash passwords (with a salt), so they cannot be "unencrypted". I would assume, if they are storing the important personal information in plain text, that they aren't encrypting the passwords, but simply hashing them - if the rest of the fiasco is anythong to go by, probably MD5 with no salt. :-P

  6. Anonymous Coward
    Anonymous Coward

    Tried to change password ..

    .. couldn't find the option anywhere

    Total FAIL

    1. moiety

      Re: Tried to change password ..

      It's in the "Hi $User" bit at the top left. Click on it, then go for "Account Settings"; then "Personal Information" Took me a while to find it too.

    2. DaveyDaveDave

      Agreed

      Yeah, that is a bit of a fail, but good on you for owning up to it. My Account > Personal Settings > Edit Password, from memory of finding it myself in about 30 seconds earlier today...

      1. Martin-73 Silver badge

        Re: Agreed

        The fact the 'my account' pulls up the financial account is the kicker there. It will make people who don't look CAREFULLY assume (wrongly) that they're in the incorrect section of ebay. It's a poor bit of design by FleaBuy

        1. Destroy All Monsters Silver badge
          Trollface

          Re: Agreed

          Well, even the IEEE doesn't into getting that "passwords" usability right, so why should ewwbay and failpal?

    3. This post has been deleted by its author

    4. phuzz Silver badge
      FAIL

      Re: Tried to change password ..

      And for your next challenge, try finding the 'Change Password' link on PayPal's site.

      I ended up using the help system in the end, only to find that their help system was offline.

      (it's in My Account > Profile > My Details).

      Also, why do both PayPal and eBay have a 20 character limit on passwords?

      1. Credas Silver badge

        Re: Tried to change password ..

        "Also, why do both PayPal and eBay have a 20 character limit on passwords?"

        And why do PayPal, at least, prevent copy-and-pasting into the password box, thus ensuring that you can't use a password manager and strong unique passwords?

        1. Tony Quinn

          Re: Tried to change password ..

          PayPal doesn't - I've just tried it and the old Ctrl-C/Ctrl-V trick works just fine!

          1. localzuk

            Re: Tried to change password ..

            The 20 character limit is worrying. It screams "flawed reversible encryption" rather than salted hashes for passwords.

            1. Bah Humbug

              Re: Tried to change password ..

              Not only is there a twenty char limit, they don't allow spaces in passwords either - so much for my normal practice of using a sentence for a password.

        2. Wild Bill

          Re: Can't paste in password

          I just found this with ebay's password reset functionality. Ridiculous. To make it worse the form requires JS to work (great design there), so can't disable it to allow the pasting.

          In the end I had to use firebug to edit the input's value to paste in my actually secure password rather than just using my cat's name. It's like they want people to use rubbish passwords!

      2. My Coat
        Happy

        Re: Tried to change password ..

        I found the close account option quicker than the change password option - so used that approach instead.

    5. Cripes Chief!

      Re: Tried to change password ..

      It's not obvious, click on the arrow next to your profile name in top left corner and select Personal details. It is then list as an option in the next screen.

      But like others have said, although I changed my PW my old one was working fine

  7. Tom 38 Silver badge

    "Encrypted" passwords

    Damn well hope my password wasn't encrypted, and was actually hashed.

    It would have been more useful if they had said whether the passwords were salted or not. If my salted hashed password has been released, I'm totally "meh" about it, where as if my unsalted encrypted password has been released then I'm much more angry.

    1. sabroni Silver badge
      Happy

      That's known as Schrödinger's anger.

      1. moiety

        ...about 50% of the time.

    2. Indolent Wretch

      Re: "Encrypted" passwords

      Well unless they got the salt too, I wouldn't be suprised if eBay have it in the next column.

      1. Phil O'Sophical Silver badge

        Re: "Encrypted" passwords

        Doesn't matter if they got the salt too, the idea of a salt is that each password is hashed diferently, so they can't just store a dictionary of hashed strings which they can compare against. They'd need a dictionary per possible salt value. That is unwieldly and slows down any attack, which is general is the best you can ever hope for.

      2. Credas Silver badge

        Re: "Encrypted" passwords

        Still screws up using rainbow tables though, doesn't it?

        1. -tim

          Re: "Encrypted" passwords

          Standard salting isn't enough if you have billions logins. The standard salt on many of systems is only 8 characters and only contains about 48 bits of entropy. That is about 300 trillion unique salt values so there should only be about a 1 in 300,000 chance that your eBay password shared the same salt as another user however that assumes the random salt generator works properly and what I've seen in the real world is a few thousand people will be sharing the same salt. eBay must release details of how those passwords were stored. They also need to identify any large groups of users with shared salts since they will be the 1st targets.

          1. Adam 1 Silver badge

            Re: "Encrypted" passwords

            Don't confuse an implementation of salt with the definition of a salt. Salt is simply a technique. If can be 2 bytes but it can just as easily be 256 randomly generated bytes (or any number). It doesn't even have to be appended to the end. You know the size of the hash output so you can interleave the salt and resulting hash in the one field if you want. That approach means that your authentication server can easily get all the information it needs and you can not tell from the table what is hash and what is salt.

    3. Tufty Squirrel
      Mushroom

      Re: "Encrypted" passwords

      >> It would have been more useful if they had said whether the passwords were salted or

      >> not. If my salted hashed password has been released, I'm totally "meh" about it,

      >> where as if my unsalted encrypted password has been released then I'm much more angry.

      You're wrong, then. Let's assume (and it may be a rather large assumption) that ebay are not complete fucking maroons, and are not only salting your password, but salting your password with a unique-to-you, or better, unique-every-time-you-change-your-password salt. Now, as the bad guys have your salted password hash, they can't do anything with it, right? Wrong. Of course they can. If they've managed to extract your salted, hashed password from ebay's database, we can also assume they bothered to extract the salts at the same time, and they know the salting & hashing algorithm that ebay use. Because they aren't fucking mongs either; indeed, we should assume they are somewhat smarter than you or I. So, if your account particularly takes their interest, they are perfectly capable of building a rainbow table for reversing your password hash to its original plaintext version of "ebay.com". If it's salted uniquely per password, they can't then use the rainbow table to reduce the time taken to do an *en masse* reverse; they effectively need to brute force every password. And even that is less of an issue should they happen to have a botnet at their disposal; all they need to do is distribute hash/salt pairs out, and have their bots do the crunching via brute force rather than rainbow tables. That's how I'd do it, anyway.

      We can probably assume that ebay have fallen into the common trap of using lower-complexity hashing algorithms, on the grounds that 500ms is too long to wait to log in, and the combined compute load of their users logging in would be too expensive should they use something "heavweight". Which is fair enough, but it makes brute-forcing feasible, time-wise. And even if they are using something "hard", all the brute forcer needs to do is give up after a certain amount of time, or put harder hashes "back onto the queue" for later attention, focussing on getting the lower hanging fruit first.

      Whichever way you look at it, if they want into your account, you're proper fucked whatever happens.

  8. Hankie

    I love the way the say that "no financial information was compromised" - Well that doesn't matter as they now have all the information they need to take our credit cards, loans and to commit identity fraud regardless.

  9. Joseba4242

    Data used for phishing

    "The digital break-in of staff accounts was detected about two weeks ago" ... "no evidence of the compromise resulting in unauthorized activity"

    Really? My sister notified them on 22nd April about an eBay phishing email she received which contained her very personal contact details as provided to eBay. The phishing email was asking to fill in a form with all credit card details.

    The personal details provided made it look very credible I have to say.

  10. Tom Paris

    Known about it for two weeks...

    and they didn't think to meantion this absolutely immediately...

    and no emails from them

    and no message on the front page

    A lesson in how not to manage security issues post exploit.

    1. Anonymous Coward
      Anonymous Coward

      All they knew 2 weeks ago was that a couple of staff accounts had been compromised.

      The subsequent investigation, which took time, revealed what was accessed by those staff accounts.

  11. Anonymous Coward
    Anonymous Coward

    Hmm, seems odd.

    That when Sony told everyone that payment details weren't taken, the press conveniently, "forgot" to include that rather important nugget. EBay have the luxury of having it in bold.

    It also seems odd that whilst Sony got a tonne of bad press for dragging their heels for a week whilst doing forensic analysis on the hack and gaining solid information, that was totally unacceptable, yet eBay sitting on this knowledge since Feburary is somehow perfectly fine.

    Funny old world....

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmm, seems odd.

      Why not post under your Sony ID instead of anonymous?

  12. Trooper_ID

    darn it. It gets tedious inventing new passwords, there are so many sites that I log into, I need an A4 notepad to store all my passwords - and then I have to encrypt that in some way so that no one can somehow use it if they find my list of site names and passwords........ Wish I had an eidetic memory :-(

    1. phuzz Silver badge

      Try something like LastPass, KeePass or another password vault.

      Just make sure your master password is as long and complex as possible, and ideally use two factor auth.

    2. Anonymous Coward
      Anonymous Coward

      Or come up with a master password and a rule to derive extra bits based on the domain name. For instance, "ABCD123" & characters 5-8 of domain name & "45EFGH" & number of characters in domain name + 2 & "IJK678". Different password for each site, easy to remember, can be done with your brain so no software required (which you might not always have), and tough to reverse engineer. I also advise basing the master password on the initials of a memorable sentence, which makes it trivially easy to remember a good long password with no dictionary words or obvious patterns in it. Takes a bit of concentration for the first couple of days, then just comes easily.

      For example, using the sentence "The 2014 version of Godzilla is way better than that pitiful Roland Emmerich shite" gives "T2014voGiwbttpREs". Add the above rules for this site, and you could get "T2014vegisoGiwbt13tpREs". Same system for Amazon.co.uk would give "T2014voncooGiwbt8tpREs".

  13. Flywheel Silver badge

    Encryption

    "Exactly how the tat bazaar's passwords were “encrypted" "

    ROT13 for the US and Pig Latin for the rest of the world. No problemo.

  14. Phil O'Sophical Silver badge

    encrypting sensitive personal data

    Why do companies like @eBay or @Target NOT encrypt sensitive personal data? Let me hear one single good reason.

    How about because for things like addresses they need to be able to decrypt it, which means they need to store the password, and that can be stolen like any other piece of data. Encryption is only useful if you don't keep the key anywhere near the data, which is tricky if you need to be able to retrieve the data automatically, as distinct from asking a real person to type in their key.

    1. Brewster's Angle Grinder Silver badge

      Re: encrypting sensitive personal data

      Yeah, but it's good marketing.

      "They got your data. But don't panic: it was encrypted! *mumble* they may also *cough* have got the *cough* encryption key. *endmumble*"

  15. banjomike
    Happy

    no indication of INCREASED fraudulent account activity on eBay

    I love that phrasing.

    1. TrishaD

      Re: no indication of INCREASED fraudulent account activity on eBay

      So, if there was no evidence of fraudulent account activity, how did they know they'd been hacked?

      This is actually quite an interesting incident and any comment must involve a certain amount of reading between lines. The truth is undoubtedly out there but getting to it may present a challenge. But a bit of speculation seems in order...

      So then - if the intrusion happened a couple of months back and it was only detected weeks ago, we have two possibilities - either eBay are truly incompetent to the point of recklessness, or this was a fairly stealthy attack by someone who was actually rather good at this sort of thing. If the latter is true, then my best guess would be some sort of spear-phishing directed at system admin type folks. A bit of homework scanning through LinkedIn would probably produce enough information to send a plausible email containing some sort of zero day attack either as an attachment (old hat) or a link back to a compromised site. Job done, start extracting information and loading up the root kits or whatever.

      No conventional security tools are likely to detect this if done well.

      At this point, my sympathies are with eBay. Briefly.

      However, whatever protection they had over encrypted/hashed passwords was obviously woefully inadequate, assuming of course that passwords were compromised rather than 'might have been' compromised.

      Which leads to epic fail on communications. Keeping your mouth shut for a couple of weeks is understandable - get the forensics folks in and crawling all over your logs etc and understand the extent of the problem before you go public is perfectly reasonable.

      But - that period should give you enough breathing space to produce a coherent and sensible communications strategy. One that does not consist of vague advice to change your password. Why the hell couldnt some one have written a script to enforce password change at next logon? Not rocket science.

      Bad security controls and poor incident management. A classic example of a major organisation not taking information security seriously.

  16. Anonymous Coward
    Anonymous Coward

    I smell bullshit

    First we are told the NSA have access to everything then every man and his dog are getting you to change passwords.

    If they didn't have your password before they certainly do now.

    or maybe I'm just too cynical and need a tin foil hat?

  17. spellucci

    Pardon my American ignorance: what is a "tat bazaar"? Is eBay's "tat bazaar" a subset of eBay's service, jargon for an online auction, or something else. Mr. Google links to lots of articles by El Reg on the topic, but using a term to define a term is term-inally unhelpful.

    1. Sir Runcible Spoon Silver badge

      a bazaar is like an open air market

      tat is a load of useless old shite

      eBay is the company hosting aforementioned tat-bazaar

      1. Destroy All Monsters Silver badge

        "I can't define a tat bazaar but I know one when I see one"

  18. No such thing as an Anonymous Coward
    FAIL

    If you use a key manager...

    Had to disable javascript on the new password page as you can't paste your new 20 character long password containing upper + lower + numbers and symbols.

  19. phil dude
    FAIL

    legal action?

    Any chance there could be some *penalties* for companies being too cheap to keep things secure.

    OK, stuff happens, crims will always try and get in. But if they want our information (and they claim they do) they should be legally culpable.

    Perhaps the cost of IT security teams would go up...?

    P.

  20. Quentin North

    Data Protection Act and Information Commissioner

    It seems to me that this is a data breach and eBay has a registered office in South West London. Can the ICO take action if we make a complaint?

    1. Camilla Smythe Silver badge
      Pint

      Re: Data Protection Act and Information Commissioner

      "It seems to me that this is a data breach and eBay has a registered office in South West London. Can the ICO take action if we make a complaint?"

      BWAH HA HA HA HA HA HA

      <font size=plus infinity>BWAH HA HA HA HA HA HA</font>

      You owe me some new sides to replace the ones I have just split.

      .. sorry. You may have missed the Troll Icon. Have beer instead.

    2. Werner McGoole

      Or you could just try writing eBay a stern letter

      Cut out the middle man...

    3. Mat

      Re: Data Protection Act and Information Commissioner

      Well if eBay were to change their name to NHS then I'm sure they'd be fined! ;)

  21. heyrick Silver badge
    WTF?

    eBay.fr

    No notification. No email. No on-screen prompt. No nothing.

    Luckily I have zero trust in PayPal so I always use virtual credit cards. As for the rest of it, WTF eBay?

    1. heyrick Silver badge

      Re: eBay.fr

      They informed me at seven o'clock this morning...

      "Voici les informations dont nous disposons : cette attaque s'est produite entre la fin février et le début mars, et s'est traduite par un accès non autorisé à une base de données des utilisateurs eBay contenant les pseudos, mots de passe cryptés, adresses e-mail, adresses postales, numéros de téléphone et dates de naissance de nos membres." - they stop short of pointing out the seriousness of what this actually means. As my mobile number is unlisted, if I suddenly find myself drowning in spam texts, I fully trust that eBay will meet all costs incurred in changing my number; not to mention sorting out the cancellation of any services that other people might sign me up to on the basis of this information (there is enough there to get a person subscribed to SMS services that are charged €€€ per text sent). Thankfully I think the French banking system is too tightly regulated for loans to be granted based purely upon this, though other countries may be somewhat less careful.

      I guess the main question now is not so much what went wrong at eBay, but more - what happens now with regards this information.

  22. cordwainer 1
    Facepalm

    Odd happenstance upon login....

    I just logged into my eBay account - instead of taking me to the main landing page, it took me to a screen with the words, "Message from eBay"....and no message. Underneath that was a button labeled "Continue to your Destination"

    A blank message seems somehow to epitomize eBay's overall approach to security and communication, i.e., non-existent.

    1. BongoJoe Silver badge

      Re: Odd happenstance upon login....

      But, complain not. You at least got a message.

      1. Destroy All Monsters Silver badge

        Re: Odd happenstance upon login....

        "In order to achieve true enlightenment, first, you have to realize the truth: There is no message!"

    2. billat29

      Re: Odd happenstance upon login....

      You're running an adblocker

      1. Loyal Commenter Silver badge

        Re: Odd happenstance upon login....

        Same happened to me. I assume it was eBay trying to force-feed me advertising.

        Now, how do I go about configuring AdBlock to stop that incredibly annoying full-page video PayPal has on its landing page?

        1. Anonymous Coward
          Anonymous Coward

          Re: Odd happenstance upon login....

          With Adblock Plus, right click on video on Paypal site, click on 'Adblock Plus:BlockAudio/Video.....' then click on 'Add Filter'

  23. John H Woods Silver badge

    Just tried to change mine ...

    ... page not available due to high traffic (presumably of people changing their passwords)

  24. ChiefBoffin

    Password change FAIL

    Just logged on to me Ebay account to change my password in response to their advice. This is the response I got 5 times in a row:

    "Page not available

    Ebay is asking its users to reset their passwords due to the unauthorized access to our corporate information network. This may result in a delay of service due to the high traffic volume. We ask for your patience and that you return to eBay soon. In the meantime, please be assured that no activity can occur on your account until your password is reset.

    You may also visit Customer Service"

    So we are advised to change our passwords ASAP because Ebay takes our security "seriously"? "Seriously!"

  25. Anonymous Coward
    Anonymous Coward

    Is the net progressing or regressing?....

    I started out using the net @ uni for a comp-sci degree in the early 90's. It held so much promise. Around the mid to late 90's it started to become over-commercialised, but it still had promise. However, now it just isn't fun anymore: The 'Target' hack, Heartbleed, the Adobe cloud fiasco, E-Snowden & NSA privacy revelations, Google ads on everything goal, and now this latest eBay / Paypal meltdown....

    I used to be the go-to guy for family friends for tech matters, but I can't be anymore. How can I assure them of anything when even the CEO of Symantec-Norton admits that their own AV / Malware / Phishing products are a sham! I can't even offer advice regarding financial hacking or data privacy, or government spying, because the attack vectors are firmly beyond me now...

    I have a home based business. I used to diligently roll out updates and patches and even made assumptions that made me sleep better at night. But who has the time anymore?! I now leave most of my office machines permanently unplugged and off-the-net (and use a USB sparingly by air only when necessary). For the machines that are still 'live', I dedicate one to design, another to financial / accounting, and anther to (risky) browsing, and isolate all onto different networks...

    All the while I'm thinking this isn't f*cking progress! In addition I no longer have an active financial presence online, because I don't feel the banks / retailers etc, are doing enough to protect consumers, much to the chagrin of many pollyannic customer service mugs.

    But I used to love the internet and I lament the fact there's so many sheeple using it, thereby fuelling the rise in hacks and scams... I cannot help but ask, why have an eBay / Paypal account when you're just a mark to a hacker with ultra-fast broadband in a small town in Romania you've never heard of?... Same goes for Google+, FB, Yahoo and MS mail...

    And when the net isn't about scamming, account hacking, data breaches and hype, its saturated by the latest celebrity vampire leveraging it for all its worth... Driven on by a fickle global-media praying at the altar of the new shinny Twitter, Facebook, Google: 'God'...

    So am I the only one retrenching from the net?

    1. David 66

      Re: Is the net progressing or regressing?....

      YOU DARED TO SPELL SHINY INCORRECTLY.

      Seriously: you make a good point.

  26. pip25
    Flame

    I'm beyond fed up with this

    A major site hack or vulnerability or whatever comes out every other week, prompting me to change my password(s). The new one(s) should (once again) be unique to the site, not tied to any personal data, etc., etc...

    Go to hell. Seriously, just go to hell; I'm not a goddamn hash table that can store an infinite number of passwords for an infinite number of sites and change any or all of them at a moment's notice. My memory is rather limited in this aspect.

    Use a password manager, you say? I access these sites from a variety of devices and don't want my passwords to be present (encrypted or not) on all of them. Instead, I use SuperGenPass, but since that uses my master password and the site name to generate the actual pass, I can't change the site password without changing my master password, and thus we're back to square one.

    I'm just so sick and tired of the whole thing by now, goddammit...

    1. Woodgar

      Re: I'm beyond fed up with this

      Interesting point on the "construct password based on site name" concept.

      This is all fine and good until you have to change it, and which point you become stuck.

  27. batfastad

    Reset

    Sounds like it was the meat they employed to blame for this one, compromised accounts. Aren't they regulated as a bank these days? Or does that just apply to their Paypal racket?

    I might switch to LastPass. Keep complex passwords all in a centralised web-based service... What could go wrong!

    Also what happened to loading a public/private key pair into your browser and authing that way? All your details encrypted with your private key but stored on whoever's servers. Sounds a bit better than the current shambles to me. I remember it was all the rage with HSBC business banking 15 years ago or so, albeit with a hilariously complicated implementation.

  28. Robin Szemeti

    Not just your current password ...

    Don't forget, the retards are eBay do not just keep your current password in the db, they keep all your previous passwords too ... as anyone who has been faced with their "you can't use that password, beacause you have used it before" idiocy will know ... so potentially they have not just revealed your current password .. but your whole keyring.

  29. Martin-73 Silver badge

    A rant, and a question (the question's at the end)

    Apologies for the rant, it's an almost direct c/p of my arsebook post on the subject, but the question at the end is likely to be answered relevently by folks here. (I notice Robin Szemeti above has noticed this too.)

    Begin paste:

    Several points against ebay here. Their backend database got 'hacked' [read: we left the keys on the hall table]. This much is public knowledge.

    So I go to change my password as recommended. Nope. No such user, followed by several variants of 'this page is experiencing extreme load' and 'this page not found' and 'no such email in database'

    So I go to chat to customer disservices using their live chat. Unavailable, despite being in working hours, california time.

    SO I get pissed, and send them a web form based Shit-O-Gram telling them to bloody well fix their ebay password change page NOW as they've just bloody asked everyone to use it.

    I immediately get an email response with some utterly unrelated drivel that was barely literate, referring to paypal password problems. So naturally I replied to it with a "read your goddamned missives rather than sending algorithm matched shite". Only to get a bounce message saying 'this email account is not monitored'. So don't fscking HAVE IT then, what the hell is the point of an email address that doesn't work?

    Eventually after much use of F5 and other F words, I get to the 'reset your password' link, and try to reset it. Only to get an offer to send me a PIN. By Text. To A FSCKING LANDLINE NUMBER. *HEADDESK*

    I chose the more sensible option: Email me a reset link. Here they scored a minor plus: The reset email, which arrived almost instantly and was in my set 'plain text' format, told me to c/p the link to the address bar, encouraging me NOT to click links in email. Good advice. Credit where it's due.

    However, the system then accepted my new password, but would not allow me to sign in with it.

    So I hit reset AGAIN. And here begins the section with the query, I'd be pleased to hear you commentards' input on this: It then refused to let me use that same new password again, as I'd previously used it.

    This to me says there's a problem: One of the following.

    1. They're storing unencrypted passwords (not likely for such a large company, that's a rookie mistake),

    2. They're storing encrypted passwords, not the hashes, bad practice.

    3. They're storing unsalted hashes.

    4. They're salting the hashes with the SAME salt, thus rendering it useless.

    The questions are 2fold. 1, is my analysis above basically correct (I would LOVE some input on my understanding of hashing algorithms), and 2, am I right that this is a major security flaw?

    I won't even go into the rant about 'your password must contain 2 lowercase, 2 numbers, 2 symbols, 2 uppercase, the blood of a virgin, 2 bits of first kingdom hieroglyphics BUT NO SPACES' crap.

    1. WaveSynthBeep

      A moral of the tale

      If you're a big webby company, scale up your password reset system just as you scale the rest of the site. Don't host it on a 486 in the basement, because when things like this happen...

      On the question of salt, they could store each old hash with its own salt and checking the new password by hashing it with each salt in turn and seeing if it matches. That would be more work, but no less secure than individually salted hashes. The password database would be larger, but the old hashes would be purely for elimination - compromising one would only reveal a deactivated password.

      It's a rather curious approach though - what's the threat model from re-using old passwords? (I note Google prevents that too). It would only make sense in an enforced changing regime (when it prevents swapping between 'passwordA' and 'passwordB' every month - but can't detect 'password201405')

    2. Tufty Squirrel

      Re: A rant, and a question (the question's at the end)

      My guess (based on how most half-sane people would do it) would be that they're salting each user's password with a unique-per-user salt, so when you enter your new password it's merged with "your" salt, hashed, and the hash then compared against your previous password hashes to detect "naughty" password reuse.

      This approach would keep 99% of the usefulness of the salt (i.e. you can't generate a rainbow table and mass-reverse everybody's hashes), and any additional weakness this introduces is rather overshadowed by their insane password policy anyway.

      Ebay's password policy, in which password space is bounded to 6 <= length <= 20 characters, passwords must contain 2 of [lower-case, upper-case, punctuation-symbols], with no single dictionary words allowed (amongst other things), whilst removing the possibility of passwords like "apple", reduce the search space for brute-forcing algorithms significantly (with the main culprits being the low minimum length requirement and the bounding of password length to 20 characters)

      1. Tufty Squirrel

        Re: A rant, and a question (the question's at the end)

        Oh, and this : http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

    3. Anonymous Coward
      Anonymous Coward

      Re: A rant, and a question (the question's at the end)

      @martin73,

      Its quite easy to verify if you've used the password previously, without storing anything sensitive or reversible. All it has to do is attempt to call the login function with your new password against your old stored salt and hash details. If any one of then return true, then its been used before. Simples.

      BTW, why does theReg not believe in https anywhere on their register or login pages.. shameful !

    4. heyrick Silver badge

      Re: A rant, and a question (the question's at the end)

      Changed password yesterday evening without a hitch. Maybe their system noticed that my password was a statement on their level of incompetence? [*]

      * - don't worry, it'll be something else in two moons, I trust eBay marginally more than I trust PayPal; and I don't trust PayPal at all.

      That said, aren't those two practically partner companies? If eBay has been compromised, how do we know PayPal hasn't been?

  30. Snowy

    The problem is made worse by any site you want to buy stuff from also wants you to register with rather than just sell you stuff.

  31. Roger Stenning
    Facepalm

    After the horse has bolted...

    ...been recaptured, stuck in the next door cell in the sables, and the door roped closed without even so much as a new Abloy padlock...

    ...I pre-emptively changed my password. No email to tell me to, of course. Heard about it on the radio, of all things. Oh, and YE FESTERING AND SUFFERING GODS they took HOW FRAKKING LONG to tell us about this TARFU?!

    And to those who bemoan their fiends - I mean friends - and mutants - I mean relations - not having a ruddy clue what to use for a password, tell 'em to get their passwords from here... http://strongpasswordgenerator.com/. Seems to have worked with those who hitherto didn't know what I meant, and couldn't understand how I explained it - thus, there is no longer any excuse NOT to know how to generate a strong password.

    Remembering it afterwards, of course, is another matter altogether...!

    1. Squander Two

      Re: After the horse has bolted...

      Obligatory response to the "strong" password generator: http://xkcd.com/936/

  32. StimuliC

    Heads should roll

    but of course they won't. You can bet that someone let slip and they were not even going to bother alerting their customers to this failing in their security! That's why they spent two weeks sitting on this information.

    In fact, let's reword that, at least one person's head will roll, the employee that let the cat out of the bag when they were going to just pretend it had never happened!

  33. Jin

    Nails given but no hammer given

    To say only "changing passwords is a best practice and will help enhance security" is like giving us nails without giving us a hammer. What can we do when we cannot remember any more text passwords, we cannot reuse the same passwords over many accounts and we cannot carry around a memo with passwords on it? And, where 2 factor solutions involves a password, where biometrics involve a password for self-rescue in case of false rejection and where ID federations (single-sign-on services and password management tools) require the password called a master-password?

  34. Anonymous Coward
    Mushroom

    Re: Aren't they regulated as a bank these days? Or does that just apply to their Paypal racket?

    Paypal? Regulated like a bank? HAHAHAHAHA. Wishful thinking.

    Yes, I'm serious. Paypal themselves very openly abuse the very fact that they "aren't a bank" and thus cannot be regulated as one within the vast majority of countries they operate in.

    It is interesting however because when it comes to matters which strictly benefit Paypal (i.e. them requesting for copies of your national ID) they suddenly behave all "oh we must have this information as we're a "financial institution"". But the very moment your Paypal account is frozen for whatever arbitrary reason deemed fit by Paypal then the tone swiftly swings to "we are not a bank and thus the only legal document which matters is *our* TOS and fuck all".

    Yeah. Fuck you too Paypal.

  35. Anonymous Coward
    Anonymous Coward

    Systems on edge of meltdown

    System now unable cope with demand. "Technical Difficulties" and apologies system under heavy demand messages when I tried to change my password. Useless. Know why I avoid using these people as much as possible.

  36. beermunster
    FAIL

    ICO Not interested

    As title, they refer you to the EU regarding DPA issues.

    Also if you have a suspended account, you can't change your password! Just tried on a very old account.

    Won't change any incorrect details and ICO just done give a stuff!

  37. Neill Mitchell

    Daft passwords policies no longer relevant

    "passwords must contain 2 of [lower-case, upper-case, punctuation-symbols]"

    This might have been relevant last century when it was humans were trying to guess passwords, but do they honestly think it makes a blind bit of difference to a botnet what format the bloody password is?

    Plus you are more lightly to store these passwords somewhere insecure because you can't remember all the bloody things.

    Better approach, but unfortunately stupid above type policies don't allow it:

    http://xkcd.com/936/

  38. Anthony Hagger

    I think they should be liable for the lack of security and the fact that someone now has our personal details and could attempt to use this to steal our ID etc.

    I think that Ebay should offer compensation to all 145 million customers but that will not happen and so I think everyone should close there accounts as this company does not deserve to trade if it is so lax.

    1. Zog The Undeniable

      Won't happen

      eBay is awful, incompetent and customer-hostile but I still use it reluctantly; it achieved critical mass many years ago so is the only significant marketplace for stuff you need to sell, or secondhand stuff you can't find anywhere else. They have a monopoly and they know it.

    2. heyrick Silver badge
      Megaphone

      I think that Ebay should offer compensation to all 145 million customers

      I don't want "compensation".

      One derisory little token payment and then the matter is considered closed?

      No.

      I expect nothing less than for eBay, for a period no less than the validity of the data, to resolve - at their expense - any abnormality that may have arisen as a result of the leak of this information (directly into the hands of criminals, I should add - this information was taken with a purpose in mind).

      Of course, the onus is upon eBay to have to prove that they are not culpable, per instance, not the other way around.

      That is what we require. Not "compensation".

  39. AlCro

    Poor notification

    I have not received any notification - no messages in my Ebay Inbox, no notices displayed after first logging in.

    Having read about the problem on another web site (Hexus.net), I went in to change my password.

    It wasn't until I started the process (i.e. selected edit password), that the page displayed a message advising me to change my password and asking me to enter my email address, so that I could continue with the process.

    Well that is truly a cart-before-the-horse way of informing users! Wait until they are doing the activity they need to do before informing them of the need to carry on.

    Not impressed

  40. Zog The Undeniable

    The Lads from Lagos will be all over this like a rash

    Dear valued eBay customer,

    As you may have seen in the news, we have experienced a a minor security breach in which none of your credit card or other financial data were stolen. However, eBay recommends that you reset your password by clicking on this link and entering your social security number, PIN and bank card details to validate yourself:

    eBay password reset

    Yours in God,

    Ologugu Ungobungo

    Vice President Customer Services

  41. Loyal Commenter Silver badge

    Dear e-Bay

    Use an n-tier architecture:

    web server -> application server -> database server

    I suspect this breach came about because their web servers have direct access to the database, and someone used this to access them. This is bad design practice for this reason. The only server facing the web should be the web server. This should talk to the application server, which does request validation, business rules, etc. and which is not visible from the web. This server then talks to the database. If big companies like eBay can't get this right, then they're not employing the right people.

  42. Deadly Headshot

    SQL Injection

    In 2011 I stumbled across a potential point for SQL Injection in their sign-up process and subsequently emailed them. They ignored me. For all I know, you can still get in that way.

  43. Anonymous Coward
    Anonymous Coward

    I griped about the eBay security farce on Twitter and got this rapid response.

    Hopefully, they'll forgive me if I don't believe them.

    ***

    AskeBay: There is no evidence of any unauthorized access to personal or financial info, as it's stored separately in encrypted formats ^E 11:47am, May 22 from Attensity Respond 6

  44. Anonymous Coward
    Anonymous Coward

    And this is the exact reason why I dont use their one stop checkout system (tying your paypal and ebay into one and allowing you to pay without a paypal secondary login)..!

  45. Martin Maloney
    Coat

    Things used to be simpler

    I used to use "incorrect" as my universal password. That way, if I spaced out and entered the wrong password, the site would tell me, "Your password is incorrect."

  46. Stevie Silver badge

    Bah!

    Why don't people running webtat emporia encrypt *EVERYTHING*?

    Ditto banks.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019