If you’re one of the world’s top websites, and hackers broke in a couple of months ago making off with a database of your users, wouldn’t it make good sense to make sure that users visiting your website were clearly informed as to what was going on?
And wouldn’t it be good if you provided an easy link where people could reset their passwords?
As it is, users have to dig around in eBay’s press section for news about their colossal security snafu, and even then they don’t tell folks how to change their password.
The same is true if you log into your eBay account. There’s no message displayed telling you about the breach or what you should do about it.
Some have vented their disapproval via Twitter:
Let’s do the @ebay breach response checklist! Email notification (to me anyway)? No. Notice on web page? No. Warning upon logging in? No.
— Paul Roberts (@paulfroberts) May 21, 2014
@gcluley It requires one to click on 4 or 5 links to get to their FAQ about the breach. This type of info should be in one's face ASAP.
— Greg (@pcguy8088) May 21, 2014
It feels to me like eBay isn’t handling this very professionally. Firstly they messed up the original disclosure of the breach with a half-finished blog post that should never have been published, then they deleted it (making everyone think it was an innocent mistake – and that no breach had occurred).
Then it was confirmed that a breach had occurred, and everyone should change their passwords…
But they’re still not being proactive enough in telling their users who might have missed the headlines in the media, or in sharing information regarding what methods it had used to encrypt, salt and hash the passwords to keep them out of the hackers’ hands.
And, excuse me, but if the site is serious about all eBay users having to reset their passwords – why aren’t they forcing a password reset? How come you can still log into eBay with your old password?
How to change your eBay password
- Log into your eBay account
- Click on your name in the top left corner, and select Account Settings
- Now click “Personal Information”. You should see an option to “edit” your password.
- You will make sure you’re not using the same password anywhere else, won’t you? Good.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
6 comments on “Why is eBay burying news of its security breach from its millions of web visitors?”
Maybe they're waiting for the US Stock Markets to close, for fear of the share price being hit?
Simple: eBay is in cahoots with PayPal. PayPal is, how to put it…. shady at best and yet they are some times the only option. They have a really bad reputation and it is well deserved. I know I'm not the only one who has been cheated by them and I know I was not the last. eBay hides it because of the same reasons PayPal cheats/etc: they are corrupt in multiple ways and only want their good side to show. But all one need to do is search for PayPal (this some years ago and I would be surprised if it still is not happening) class action lawsuits to get an idea. This unfortunately does not surprise me in the least. Indeed, it actually matches their standards. I could go on with other issues eBay has but there's really no point in it because unfortunately to many (i.e., those in power, i.e., those who are most vulnerable to corruption) money solves everything. To those who don't have as much money (including non profits, say), you're as good as out of luck on your own, with legal issues (for one example of many). Shameful of eBay? Absolutely. Expected? Absolutely.
And yes, Bernard, you could look at it that way in a sense; indeed, they are corrupt and money hungry just like PayPal (which you can, last I remember, view as the same company). No matter, these types of things eventually will bite and it'll be a vicious bite. Unfortunately many will be at risk until then (and potentially after because they have the money and power to do it again despite the risks, just like some banks that come to mind).
It's finally on the front page.
EBay have some peculiar ideas towards passwords too…
They restrict the pasting of passwords, so forget about creating a completely random 64 characters including special characters in a password manager, a good article about this can be found on the Troy Hunt blog.
Also when I generated a password using Keepass using 20 characters, uppercase, lowercase & numbers it was identified as medium strength… sounds a bit off to me.
the warning is on the front page now, at least on .co.uk
To make it even better, once you get to the page where you want to change your password, you have to enter your email address then wait for them to email you a password reset email. Why???
Why not just let me change my password? I've got access to my account so can change the email address that the reset message will be sent to, so there is no security benefit that i can see…
Worse still… the emails never arrive (not surprising really given the number of people that must be doing this at the same time) thus creating even more frustration.
Nice one eBay…
So here am I on a typically glorious summer day in Wigan but something is wrong. I will now be spending the rest of my life anxiously waiting for a knock on the door to be told that a crime has been committed in my name and the FBI want to extradite me. Those nice people at eBay let my unencrypted personal particulars out into the wild and who knows what mischief I will be accused of when some criminal uses my details from his list, supplied courtesy of eBay.