eBay finally prompts users to change passwords after huge data breach
Notice begins to appear on home page of ebay.com
Computerworld - eBay on Friday put a notice on its home page urging users to change their passwords after security experts had criticized the auction site for failing to promptly alert customers about a massive break-in and data theft.
The notice, which includes a link to the password reset process, was part of the advice eBay had given its users on Wednesday to immediately change their passwords.
That same day eBay announced a huge data breach in late February and early March. Hackers made off with the user database, which contained names, email and street addresses, phone numbers and passwords for an estimated 145 million eBay users. eBay said that the user information was encrypted.
The attackers compromised a "small number of employee log-in credentials," eBay said, to gain access to its network, then scoured the firm's systems before making off with the database. The San Jose, Calif. company discovered the break-in earlier this month.
"Take a moment to change your password," said Devin Wening, president of eBay Marketplaces, in a notice on the website. "This will help further protect you; it's always a good practice to periodically update your password."
Wening also urged customers to change passwords on other sites if they had reused the one for eBay.
Graham Cluley, a prominent security blogger who previously worked for U.K. security company Sophos, has been critical of eBay's slow reaction to the break-in, particularly the lack of a change-password notice on the Marketplace home page.
"If you're one of the world's top websites, and hackers broke in a couple of months ago, making off with a database of your users, wouldn't it make good sense to make sure that users visiting your website were clearly informed as to what was going on?" Cluley asked on his blog Wednesday. "And wouldn't it be good if you provided an easy link where people could reset their passwords?"
Cluley and others slammed eBay for not prompting users to change their passwords, for not emailing them as it had promised, and for making it difficult to switch to a new password.
Computerworld encountered problems changing passwords on eBay as well; in one password-reset section, eBay's site would not let staffers paste in new passwords generated by 1Password, a popular Mac password manager.
Today, Cluley said that he had seen the change-password message on the U.K. version of eBay yesterday. "But I know other countries have taken longer," he said in an email. "Their response time has hardly been impressive."
eBay has published an FAQ about the break-in on its corporate website.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Step Out of the Bull's-Eye Learn about the evolution of targeted attacks, the latest in security intelligence, and strategic steps to keep your business safe.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily... All Cybercrime and Hacking White Papers | Webcasts