eBay finally prompts users to change passwords after huge data breach
Notice begins to appear on home page of ebay.com
Computerworld - eBay on Friday put a notice on its home page urging users to change their passwords after security experts had criticized the auction site for failing to promptly alert customers about a massive break-in and data theft.
The notice, which includes a link to the password reset process, was part of the advice eBay had given its users on Wednesday to immediately change their passwords.
That same day eBay announced a huge data breach in late February and early March. Hackers made off with the user database, which contained names, email and street addresses, phone numbers and passwords for an estimated 145 million eBay users. eBay said that the user information was encrypted.
The attackers compromised a "small number of employee log-in credentials," eBay said, to gain access to its network, then scoured the firm's systems before making off with the database. The San Jose, Calif. company discovered the break-in earlier this month.
"Take a moment to change your password," said Devin Wening, president of eBay Marketplaces, in a notice on the website. "This will help further protect you; it's always a good practice to periodically update your password."
Wening also urged customers to change passwords on other sites if they had reused the one for eBay.
Graham Cluley, a prominent security blogger who previously worked for U.K. security company Sophos, has been critical of eBay's slow reaction to the break-in, particularly the lack of a change-password notice on the Marketplace home page.
"If you're one of the world's top websites, and hackers broke in a couple of months ago, making off with a database of your users, wouldn't it make good sense to make sure that users visiting your website were clearly informed as to what was going on?" Cluley asked on his blog Wednesday. "And wouldn't it be good if you provided an easy link where people could reset their passwords?"
Cluley and others slammed eBay for not prompting users to change their passwords, for not emailing them as it had promised, and for making it difficult to switch to a new password.
Computerworld encountered problems changing passwords on eBay as well; in one password-reset section, eBay's site would not let staffers paste in new passwords generated by 1Password, a popular Mac password manager.
Today, Cluley said that he had seen the change-password message on the U.K. version of eBay yesterday. "But I know other countries have taken longer," he said in an email. "Their response time has hardly been impressive."
eBay has published an FAQ about the break-in on its corporate website.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Transforming Information Security: Future-Proofing Processes This report provides a valuable set of recommendations from 19 of the world'd leading security officers to help organizations build security strategies for...
- The Evolution of Corporate Cyberthreats Cybercriminals are creating and deploying new threats every day that are more destructive than ever before. While you may have more people devoted...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- Establish Cyber Resiliency: Developing a Continuous Response Architecture Many enterprises fail to proactively prepare the battlefield for a data breach by only leveraging outdated techniques that focus on the perimeter or...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Cybercrime and Hacking White Papers | Webcasts