If you're one of the world's top websites, and hackers broke in a couple of months ago making off with a database of your users, wouldn't it make good sense to make sure that users visiting your website were clearly informed as to what was going on?
And wouldn't it be good if you provided an easy link where people could reset their passwords?
As it is, users have to dig around in eBay's press section for news about their colossal security snafu, and even then they don't tell folks how to change their password.
The same is true if you log into your eBay account. There's no message displayed telling you about the breach or what you should do about it.
Some have vented their disapproval via Twitter:
Let’s do the @ebay breach response checklist! Email notification (to me anyway)? No. Notice on web page? No. Warning upon logging in? No.
— Paul Roberts (@paulfroberts) May 21, 2014
@gcluley It requires one to click on 4 or 5 links to get to their FAQ about the breach. This type of info should be in one's face ASAP.
— Greg (@pcguy8088) May 21, 2014
It feels to me like eBay isn't handling this very professionally. Firstly they messed up the original disclosure of the breach with a half-finished blog post that should never have been published, then they deleted it (making everyone think it was an innocent mistake - and that no breach had occurred).
Then it was confirmed that a breach had occurred, and everyone should change their passwords...
But they're still not being proactive enough in telling their users who might have missed the headlines in the media, or in sharing information regarding what methods it had used to encrypt, salt and hash the passwords to keep them out of the hackers' hands.
And, excuse me, but if the site is serious about all eBay users having to reset their passwords - why aren't they forcing a password reset? How come you can still log into eBay with your old password?
How to change your eBay password
- Log into your eBay account
- Click on your name in the top left corner, and select Account Settings
- Now click "Personal Information". You should see an option to "edit" your password.
- You will make sure you're not using the same password anywhere else, won't you? Good.