eBay Hacked, Change Your Passwords Now

[JEDI]

http://www.businesswire.com/news/home/20140521005813/en/eBay-To Ask-eBay-Users-Change-Passwords

The company released a statement today saying their internal and customer databases were compromised earlier this year, and starting today they'll prompt everyone to change their passwords.

They discovered the breach about two weeks ago, but the actual attack took place back in late February and early March.


doh!

 

[mmntech]

The correct thing to do for companies is send out a notification as soon as they hack is detected. Yet they keep trying to cover them up for some reason. That just screws you over in the long run. Look at Target.

 

[SlickSnake]

The correct thing to do for companies is send out a notification as soon as they hack is detected. Yet they keep trying to cover them up for some reason. That just screws you over in the long run. Look at Target.

Because companies always want to wait until the next quarters financial statements just to protect their stock value as long as posssible, no doubt. Then they have a chance to sell their personal stock and get their companies financial situation in order before they report it and the stock tanks. Of course, the customers needs always figure absolute last in this financial decision, you know, in spite of the fact it's the customers who make the companies any money and is their sole reason for supposedly being there. How's that for customer service?

 

[pontifex]

they should send an email to all members.

there's not even a notice on the main ebay site...wtf?

 

[OCGuy]

"See honey! It wasn't me that won that DVD of 'Granny Trannies in Panties XII'. Can we call off the divorce now?"

 

[SlickSnake]

"See honey! It wasn't me that won that DVD of 'Granny Trannies in Panties XII'. Can we call off the divorce now?"

So that's where my lost DVD went! So I guess she didn't enjoy the free movie as much as you did?

 

[T9D]

I'm running out of damn passwords for how many times I've had to change them lately. I'm seriously tired of trying to come up with new ones, and be able to remember them.

When you finally decide on one and think 'hey this is a great password, I think I can remember it too, nobody will hack this'. Then you get another damn company broken into and have to change it all over again.

 

[Hacp]

I'm running out of damn passwords for how many times I've had to change them lately. I'm seriously tired of trying to come up with new ones, and be able to remember them.

When you finally decide on one and think 'hey this is a great password, I think I can remember it too, nobody will hack this'. Then you get another damn company broken into and have to change it all over again.

Here's a secret. Say your main password is M1O2N3I4T5O6R. Well for ebay, use this password:

yabeM1O2N3I4T5O6R

for google, use this password

elgoogM1O2N3I4T5O6R

for bank of america, use tihs password

AOBM1O2N3I4T5O6R.

 

[allisolm]

"The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth."

Wonderful.

 

[fjmeat]

done

 

[highland145]

1. Click My eBay at the top of most eBay pages and sign in.
2. Click the Account tab, and then click the Personal Information link on the left.
3. On the Password line, click the Edit link on the right. For added security, you'll be asked to sign in again.
4. Enter you current password and your new password in the spaces provided and click Save.

 

[smackababy]

"The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth."

Wonderful.

Besides the personal data, encrypted passwords shouldn't be easily hacked. I would imagine if they are going through the trouble of saving the encrypted (likely hashed) password, they are salting it as well.

This could have been worse. They could have been saving them in clear text in the database.

 

[Anubis]

i dont even remember what my ebay password is

 

[highland145]

i dont even remember what my ebay password is

I did. I won't since I changed it.

 

[disappoint]

i dont even remember what my ebay password is

So? Just hack them. How hard could it be?

"Once more...into the breach!"

Just rummaging around looking for my old password, don't mind me ebay.

Oh there it is! Now I remember! It's password123!

 

[disappoint]

Besides the personal data, encrypted passwords shouldn't be easily hacked. I would imagine if they are going through the trouble of saving the encrypted (likely hashed) password, they are salting it as well.

This could have been worse. They could have been saving them in clear text in the database.

Depends. Technically even ROT13 is encryption. One even a 5 year old could decipher.

ROT13 ("rotate by 13 places", sometimes hyphenated ROT-13) is a simple letter substitution cipher that replaces a letter with the letter 13 letters after it in the alphabet. ROT13 is an example of the Caesar cipher, developed in ancient Rome.
In the basic Latin alphabet, ROT13 is its own inverse; that is, to undo ROT13, the same algorithm is applied, so the same action can be used for encoding and decoding. The algorithm provides virtually no cryptographic security, and is often cited as a canonical example of weak encryption.
ROT13 is used in online forums as a means of hiding spoilers, punchlines, puzzle solutions, and offensive materials from the casual glance. ROT13 has been described as the "Usenet equivalent of a magazine printing the answer to a quiz upside down". ROT13 has inspired a variety of letter and word games on-line, and is frequently mentioned in newsgroup conversations.

And before you scoff: "Hah! ROT13 has been a joke for hundreds of years! No company today would use that seriously!" Keep in mind there have always been dimwits, and there will always be dimwits. Sometimes even in charge.

In December 1999, it was found that Netscape Communicator used ROT-13 as part of an insecure scheme to store email passwords.[7] In 2001, Russian programmer Dimitry Sklyarov demonstrated that an eBook vendor, New Paradigm Research Group (NPRG), used ROT13 to encrypt their documents; it has been speculated that NPRG may have mistaken the ROT13 toy example—provided with the Adobe eBook software development kit—for a serious encryption scheme. Windows XP uses ROT13 on some of its registry keys.
The ROT13 encryption is used to cipher cache hints on Geocaching.com.

quotes from: http://en.wikipedia.org/wiki/ROT13

 

[rh71]

it did not prompt me to change mine

*encrypted password... should we worry then?

 

[Suspicious-Teach8788]

Oh the smug feeling when I login to see that I use LastPass on eBay. I guess I can't use ASqswhYid6%RwuOeMU7K anymore, but that's no worry.

 

[Suspicious-Teach8788]

it did not prompt me to change mine

*encrypted password... should we worry then?

The issue is if the encryption is "SHA-1" then a GPu can process billions of guesses a second and 8 character passwords can get passwords can be hacked pretty quickly.

If they properly used SHA-1 + salt then I'd be less concerned, and even less concerned if they used a proper hashing algorithm designed for passwords like bcrypt or PBKDF2

 

[BUTCH1]

they should send an email to all members.

there's not even a notice on the main ebay site...wtf?

The issue with going that route is it's always been a spam attack method, I've revived fake Paypal emails linking me to a bogus site claiming "emergency!, log in now and change your password!"...