It took eBay a *long* time to tell me to change my password

Yesterday, at 5:32pm UK time, I received an email from eBay, telling me that I should consider changing my password because they had suffered a security breach.

Email from eBay

This wasn’t news to me (and I suspect not you either).

After all, on Wednesday last week (at 12:22pm) I posted a story asking “Should you change your eBay password?”, after I saw a strange message appear on PayPal’s press website:

Sign up to our free newsletter.
Security news, advice, and tips.

eBay asks you to change your passwords?

eBay scrabbled to remove the “placeholder text” announcement which clearly wasn’t ready for public distribution, replacing it a few hours later with an official announcement.

For the record, I posted on my website that people should consider changing their eBay passwords a full 5 days, 5 hours, and 10 minutes before eBay emailed me.

I think that’s a pretty shameful response by eBay.

And I hear lots of eBay users still haven’t received any notification from the company that there has been a security breach, and that their personal information has been exposed.

Even if you have received the email from eBay it doesn’t bother to tell you *how* to change your password. So, here’s my simple guide:

How to change your eBay password

  • Log into your eBay account
  • Click on your name in the top left corner, and select Account Settings
  • Now click “Personal Information”. You should see an option to “edit” your password.
  • You will make sure you’re not using the same password anywhere else, won’t you? Good.

Remember, of course, to make sure that you are not re-using passwords on different websites.

If you do make the mistake of reusing passwords, you are running the risk of having your password compromised in one place (perhaps via a phishing attack, key logger or a hack like the one against eBay) and then criminals could use it to unlock your other online accounts.

If you find passwords a burden – simply use password management software like Bitwarden, 1Password, and KeePass to make them both safer and easier to remember.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

6 comments on “It took eBay a *long* time to tell me to change my password”

  1. Havenswift Hosting

    Still not received any emails from eBay for a number of different accounts either and while it probably takes a while to send that many emails out to all their users it is extremely poor of eBay to have taken as long as it did to even start sending them and they should be doing everything they can to speed the process up. Luckily we are subscribed to your newsletter / site emails and changed all of our passwords for our accounts within a few minutes of you posting your initial warning and had also warned all of our users as well

  2. Eeeeeeeksbay

    Well well, apart from that VERY slow response from eBay as to resetting one's account password…. eBay is even messing up BIG TIME now: cross scripting, cookie injections just by visiting one of the eBay items from a hacker…

    Wow…

    Read here: http://www.arnnet.com.au/article/546057/ebay_flaw_could_used_hijack_accounts_researcher_says/

    Yes, the boy is just 19 years old, but eBay can't get its act together.
    "Eeeeeeeksbay" !

  3. Keith Appleyard

    Still not received any emails from eBay (or PayPal) – not even spoof / spam ones!

  4. J uk

    I only just received my official email yesterday at 9:53 if hadn't been for my trusted daily security feeds would of been a lot lot longer

    Not to mention the fact it took me 3 days to get ebay to even except a new password because certain characters like !] ) – aren't excepted which was not made clear at all..

  5. Philip

    Well, given that the breach took place in February I don't see that an extra few days makes much difference either way.
    I'm more concerned about my unencrypted personal details getting loose anyway.

  6. Keith Appleyard

    Finally – I get the long anticipated e-mail notification from eBay that they have been hacked and that I should change my password – 11 days after they first reported it on their blog. What’s with those guys’ e-mail system, 11 days to tell us here in the UK? Fortunately I changed my password a while ago.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.