The spin is atrocious. The big story is not the headline, that users must change passwords.
The big story is that ebay leaked personally identifiable information. Naturally this is buried four paragraphs down.
The database, which was compromised between late February and
early March, included eBay customers’ name, encrypted password,
email address, physical address, phone number and date of birth.
Don't patronize me with empty platitudes like "changing passwords is a best practice".
Tell me to brace for an inevitable wave of phishing and identity attacks.
Tell me that bad guys will try to steal my other online accounts with this information.
Tell me to trust no one because bad guys now look legit with my home address, phone number and DOB.
Pro tip: put the real story in the headline. That's also a "best practice".
Don't forget that it was nearly three months ago. Why weren't users informed immediately?
Do I need to update my PayPal account too? (my email is the same, but both passwords are long and randomised so not too bothered). So now they know my email address and my home address - and my date of birth, always convenient. Oh and as someone pointed out, I have PayPal automatically linked to my eBay account. Great.
Which physical address? My default delivery? My invoice address?
So a quick update from the BBC: "something it only became aware of a fortnight ago"
They only just realised, essentially. Although it's worrying that it took an eCommerce site so long to catch it. And that's still two weeks when eBay knew and nobody else did.
my thoughts exactly - this is a terribly spun statement by eBay. My personal data has now been leaked to unknown parties and they make light of it by droning on about "best practice" and passwords.
Oh Gosh! The oversimplification is mind boggling. Being an ecommerce and payments website they should have been very clear about the impact this breach has on our privacy. Angry.
>Don't patronize me with empty platitudes like "changing passwords is a best practice".
Made me retch too. Pardon me, but how did your security snafu get to be about telling me what I ought to do? Some sort of amateur reverse psychology? A Jedi mind-trick? Kind of implies that we somehow have responsibility for it too. "Yes, yes, we allowed this to happen, but if you'd only make yourself aware of best practices, you wouldn't have anything to worry about."
Very condescending. Just tell me what I need to do to mitigate your screw up. Skip the security lesson and misdirection.
I also don't see an apology, but merely "regrets". I'm guessing their legal department weighed in on this one, but that omission, along with the spin, and the whole picture just reads like a big CYA and a "screw you!" to customers.
> The company also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.
Ebay being hacked kind of scares the hell out of me because PayPal has my checking account information with direct access to withdraw funds. A hacker could rob me blind. Like seriously the owner of PayPal should not be telling me this "we have no evidence of" bullshit because there's no alternative to PayPal that online stores actually use and changing your checking account number and routing number is very very painful. You have to get new checks, you lose checking history. Fuck.
I know it's not always practical for everyone, so I can't give it as general advice, but this kind of situation is exactly why I isolate my "real" checking account. My primary account (the one to which my paychecks are deposited) doesn't have a debit card, and I never use the account number. I have a different account that I use for online services like PayPal, and for recurring charges online that require a credit/debit card, which I transfer money into on demand.
It's extra work for me, but it's also less risk. Unless somebody gains access to my online banking account, they're not going to be able to access my primary funds account.
Okay, so let's imagine for a moment that the "secure, encrypted" database of card numbers has also been compromised. The attacker would have the plaintext name and address, and an encrypted 16 digit number, with an entropy of at most 53 bits - maybe 66 bits if the expiry date is included. That's before you take card number check digits and geographically-likely prefix codes into account, which will reduce the entropy. (Edit: yes, they wouldn't store the CVV). And don't get me started on showing the user the last four digits of the card number. It wouldn't take much effort in this day and age for the attacker to try all possible card numbers, and then they have name, address, and card number. Game over, man.
Wouldn't it be possible for them instead to store a token generated from the card number and Ebay/Paypal's incoming bank account number, which can only be used for paying into that particular account?
Thanks for reminding about this. I was using a separate checking account just for Paypal. Until they "restricted" my PP account. Since I've stopped using PayPal now I keep some money on that checking account. Went to update my profile...
1. You cannot remove a primary credit card from your profile. There is only one option "Edit" where you can change expiration date and Billing Address. Entering incorrect expiration date does not work. It only allowed me to change billing address.
2. Removing checking account is not confirmed. Once I've clicked "Remove" button I was redirected to login screen. Now when I try to access my bank account I am signed out and redirected to login.
I hate calling them, but looks like that's my only option.
Not practical when you want to pull money out, but I only have paypal hooked up to my CC. This very reason is why I never hooked it up to my bank account. When I do get people who paypal me money, which is not often, I just use the money to load my sbux card or something.
Obviously this is harder to do if you are a merchant who takes large amounts of money through paypal. In those cases though the merchant should have already segmented the paypal hooked bank account from the primary business account. If you are a merchant and have not done this, now is a good time.
"The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information."
…So, just my entire identity then? eBay really seem to be down-playing the severity of this.
You have to remember that eBay is an ancient tech company run by the old MBA types that didn't really understand what value to place on engineering.
All their internal systems are maintained by vendors, VARs, and contractors.
So weird stuff like the ebayinc.com domain is to be expected. As is this hack. Also it'd be interesting to know how it was detected, and how the extent of access was determined. But if my prediction is correct, we will never see a truly open blog post about it. First, because it's not clear to me that eBay "infosec" is up to the task. Second, because eBay believes more in compartmentalization, secrecy, misdirection etc. than 'openness'.
Week 1: "We have no reason to believe that any confidential information has been compromised."
Week 2: "We have observed some limited and negligible instances of credit card information being compromised that coincidentally happened to be linked to eBay accounts. We consider this purely coincidental and feel it is no cause for concern."
Has anyone received an email from eBay about this? I'm guessing that the phishers are going to be faster at getting out fake change password emails than eBay themselves.
Doesn't that make it the perfect question? For someone to answer the question correctly, they have to demonstrate that they don't even need to do so, because they already know the thing you wanted to protect?
Thats on;y the case if you do the password reset when you are already logged into your account. Its another layer to prevent people changing your password on a shared computer if you stepped away for example. Doesn't happen if you are not logged in
When I tried to change my password to a twenty character pass phrase, I wasn't allowed because it was "too weak". Adding a single digit made it "strong." I am not particularly comforted by this.
Credit card numbers should be way down on your list of info to protect. They're easy to change and the consequences of a compromise are small (you're not liable for any fraudulent transactions as long as you're paying the least bit attention). Worry about your checking account number and other info, but not your card numbers.
>Cyberattackers compromised a small number of employee log-in credentials
This bothers me. No one cares how many employee logins were stolen. It only takes one to cause a huge amount of damage. Is anyone reading this thinking "oh, it's okay, they didn't take too many employee logins"?
> No one cares how many employee logins were stolen.
Well that's not entirely true. First off, it indicates that the breach was relatively contained. Or at least EBay want's you to think that.
The smaller the number the less chance there is that the credentials were to more privileged employees. Not every employee is created the same. Not every employee has access to account data and not every employee could send customers corporate communications.
Now yes, the who they got is important over the how many, but the how many can be stated without giving too much away.
The whole press release is hilariously downplayed. This is very much a "hair on fire" moment for them, but the way they wrote this is so very casual.
They focus on relatively unimportant aspects of what happened and leave the big stuff as an afterthought. It's like an airline captain announcing, "Due to mechanical problems, we will be late getting into New York. For those of you on connecting flights, we will re-book you on later flights at no charge, ensure that your luggage travels with you. I apologize for the inconvenience. Also, all the engines are on fire and we're probably all going to die."
It seems that they think their best way forward is if most of their users don't grasp the significance of what happened.
This is headline top-story news on the BBC right now therefore it must be 'big'. Yet no evidence of anyone making unauthorised access.
We have had a resurgence of 'Snowden' stories in the last few days, so here is a hypothetical scenario: what does a company do if the hackers turn out to be NSA/GCHQ? It is unlikely that they would drop an email to explain that they had just stolen the whole customer database because of some 'al-qaeda' based reasoning, so you would not know it was them. If you suspected it was them then people would wonder if you had taken your meds. If you got the FBI involved then they would tell you it was some script kiddies rather than the Peeping-Tom-Brigade.
Or, if you did know it was the NSA, then you might think that information was safe in their hands and not feel the need to tell the customers.
I look forward to when we get stories where the NSA are explicitly blamed for a data breach instead of some random Chinese hacker, and that emails are sent out saying 'we have been hacked by the NSA again, can you change your passwords please?'. If the NSA crawled out of the darkness to deny the breach then nobody would believe them.
Took a trip back to 2002 and visited the Account Settings / Personal Information screen to change my password. No alerts or redirects on login to change credentials. (But evidently an exciting "deal frenzy" is important enough to highlight in all caps and red text in the nav bar). Ok, so the PayPal DB wasn't affected, but does that matter? PayPal account is fully linked up there.
So I logged into eBay for the first time in over a year to change my password, and noticed that eBay edited my reply to a buyer's feedback.
Has anyone else heard about eBay doing this? I have no way to edit it back to the way it was from what I can tell. It's infuriating -- they changed the word "Buyer" to "Seller" to make it sound like my reply to feedback was referring to myself.
Being that important auxiliary details were compromised (name, phone, etc...). Beginning to think that encrypting that information should be more standard. Obviously this leads to trouble if searching by that information is required....
It's call PII, Personally Identifiable Information. In many industries, there are indeed strict requirements for protecting it... just not at Ebay, who, for it's age, probably predates any such standard practices.
[+] [-] panarky|12 years ago|reply
The big story is that ebay leaked personally identifiable information. Naturally this is buried four paragraphs down.
Don't patronize me with empty platitudes like "changing passwords is a best practice".Tell me to brace for an inevitable wave of phishing and identity attacks.
Tell me that bad guys will try to steal my other online accounts with this information.
Tell me to trust no one because bad guys now look legit with my home address, phone number and DOB.
Pro tip: put the real story in the headline. That's also a "best practice".
[+] [-] joshvm|12 years ago|reply
Do I need to update my PayPal account too? (my email is the same, but both passwords are long and randomised so not too bothered). So now they know my email address and my home address - and my date of birth, always convenient. Oh and as someone pointed out, I have PayPal automatically linked to my eBay account. Great.
Which physical address? My default delivery? My invoice address?
So a quick update from the BBC: "something it only became aware of a fortnight ago"
They only just realised, essentially. Although it's worrying that it took an eCommerce site so long to catch it. And that's still two weeks when eBay knew and nobody else did.
[+] [-] vijucat|12 years ago|reply
Holy crap, isn't that enough to do some social engineering and get a new credit card or something equally serious?!
[+] [-] anujnayar|12 years ago|reply
[+] [-] planetjones|12 years ago|reply
[+] [-] non-sense|12 years ago|reply
[+] [-] unclebucknasty|12 years ago|reply
Made me retch too. Pardon me, but how did your security snafu get to be about telling me what I ought to do? Some sort of amateur reverse psychology? A Jedi mind-trick? Kind of implies that we somehow have responsibility for it too. "Yes, yes, we allowed this to happen, but if you'd only make yourself aware of best practices, you wouldn't have anything to worry about."
Very condescending. Just tell me what I need to do to mitigate your screw up. Skip the security lesson and misdirection.
I also don't see an apology, but merely "regrets". I'm guessing their legal department weighed in on this one, but that omission, along with the spin, and the whole picture just reads like a big CYA and a "screw you!" to customers.
[+] [-] leorocky|12 years ago|reply
Ebay being hacked kind of scares the hell out of me because PayPal has my checking account information with direct access to withdraw funds. A hacker could rob me blind. Like seriously the owner of PayPal should not be telling me this "we have no evidence of" bullshit because there's no alternative to PayPal that online stores actually use and changing your checking account number and routing number is very very painful. You have to get new checks, you lose checking history. Fuck.
[+] [-] archon|12 years ago|reply
It's extra work for me, but it's also less risk. Unless somebody gains access to my online banking account, they're not going to be able to access my primary funds account.
[+] [-] panarky|12 years ago|reply
So I'm trying an arbitrage trade. Just sold short ebay at 51.62 and hedged by buying amzn at 305.44.
If this is more serious than the press release indicates, ebay should deteriorate relative to amzn.
[+] [-] mnw21cam|12 years ago|reply
Wouldn't it be possible for them instead to store a token generated from the card number and Ebay/Paypal's incoming bank account number, which can only be used for paying into that particular account?
[+] [-] woobar|12 years ago|reply
1. You cannot remove a primary credit card from your profile. There is only one option "Edit" where you can change expiration date and Billing Address. Entering incorrect expiration date does not work. It only allowed me to change billing address.
2. Removing checking account is not confirmed. Once I've clicked "Remove" button I was redirected to login screen. Now when I try to access my bank account I am signed out and redirected to login.
I hate calling them, but looks like that's my only option.
[+] [-] matwood|12 years ago|reply
Obviously this is harder to do if you are a merchant who takes large amounts of money through paypal. In those cases though the merchant should have already segmented the paypal hooked bank account from the primary business account. If you are a merchant and have not done this, now is a good time.
[+] [-] anujnayar|12 years ago|reply
[+] [-] wrboyce|12 years ago|reply
…So, just my entire identity then? eBay really seem to be down-playing the severity of this.
[+] [-] danielweber|12 years ago|reply
[+] [-] droopyEyelids|12 years ago|reply
All their internal systems are maintained by vendors, VARs, and contractors.
So weird stuff like the ebayinc.com domain is to be expected. As is this hack. Also it'd be interesting to know how it was detected, and how the extent of access was determined. But if my prediction is correct, we will never see a truly open blog post about it. First, because it's not clear to me that eBay "infosec" is up to the task. Second, because eBay believes more in compartmentalization, secrecy, misdirection etc. than 'openness'.
[+] [-] jcr|12 years ago|reply
This announcement actually leaked when a "placeholder" was put up on the paypal-community.com forum:
https://news.ycombinator.com/item?id=7777182
And I did some simple tests to make sure that domain was really ebay/paypal:
https://news.ycombinator.com/item?id=7777419
[+] [-] lbarrow|12 years ago|reply
[+] [-] AdmiralAsshat|12 years ago|reply
Week 2: "We have observed some limited and negligible instances of credit card information being compromised that coincidentally happened to be linked to eBay accounts. We consider this purely coincidental and feel it is no cause for concern."
Week 3: "Oh god they took everything."
[+] [-] jgrahamc|12 years ago|reply
[+] [-] orbitingpluto|12 years ago|reply
PayPal went full retard. The security confirmation question?
Please supply your full credit card number ending in ####.
Um, that's the information I'm trying to protect in the first place.
edit: sorry about the "full retard" - trying to quote from Tropic Thunder/RDJ. did not mean to offend
[+] [-] saurik|12 years ago|reply
[+] [-] k-mcgrady|12 years ago|reply
I'm not usually big on political correctness but you could so easily replace that phrase with something that's not taking the piss out of people.
[+] [-] anujnayar|12 years ago|reply
[+] [-] BudVVeezer|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] mikeash|12 years ago|reply
[+] [-] freehunter|12 years ago|reply
This bothers me. No one cares how many employee logins were stolen. It only takes one to cause a huge amount of damage. Is anyone reading this thinking "oh, it's okay, they didn't take too many employee logins"?
[+] [-] mhurron|12 years ago|reply
Well that's not entirely true. First off, it indicates that the breach was relatively contained. Or at least EBay want's you to think that.
The smaller the number the less chance there is that the credentials were to more privileged employees. Not every employee is created the same. Not every employee has access to account data and not every employee could send customers corporate communications.
Now yes, the who they got is important over the how many, but the how many can be stated without giving too much away.
[+] [-] mikeash|12 years ago|reply
They focus on relatively unimportant aspects of what happened and leave the big stuff as an afterthought. It's like an airline captain announcing, "Due to mechanical problems, we will be late getting into New York. For those of you on connecting flights, we will re-book you on later flights at no charge, ensure that your luggage travels with you. I apologize for the inconvenience. Also, all the engines are on fire and we're probably all going to die."
It seems that they think their best way forward is if most of their users don't grasp the significance of what happened.
[+] [-] Theodores|12 years ago|reply
We have had a resurgence of 'Snowden' stories in the last few days, so here is a hypothetical scenario: what does a company do if the hackers turn out to be NSA/GCHQ? It is unlikely that they would drop an email to explain that they had just stolen the whole customer database because of some 'al-qaeda' based reasoning, so you would not know it was them. If you suspected it was them then people would wonder if you had taken your meds. If you got the FBI involved then they would tell you it was some script kiddies rather than the Peeping-Tom-Brigade.
Or, if you did know it was the NSA, then you might think that information was safe in their hands and not feel the need to tell the customers.
I look forward to when we get stories where the NSA are explicitly blamed for a data breach instead of some random Chinese hacker, and that emails are sent out saying 'we have been hacked by the NSA again, can you change your passwords please?'. If the NSA crawled out of the darkness to deny the breach then nobody would believe them.
[+] [-] planetjones|12 years ago|reply
"Ebay asking people to change passwords after a cyberattack compromised database containing encrypted user details"
Not True! The user details were unencrypted, bar the password.
[+] [-] davb|12 years ago|reply
Edit: I can now paste on eBay (not sure what went wrong the first time) but PayPal is still actively preventing pasting a new password.
[+] [-] oneweirdtrick|12 years ago|reply
[+] [-] LeoPanthera|12 years ago|reply
[+] [-] dang|12 years ago|reply
[+] [-] pling|12 years ago|reply
Not confident.
To be honest it takes the piss as they are spamming UK TV with adverts for how secure PayPal is at the moment.
Really wish I never signed up but eBay has a monopoly on the payment types now.
[+] [-] anujnayar|12 years ago|reply
[+] [-] Sami_Lehtinen|12 years ago|reply
[+] [-] brador|12 years ago|reply
[+] [-] dijit|12 years ago|reply
[+] [-] askew|12 years ago|reply
> Sorry. We're currently experiencing technical difficulties and are unable to complete the process at this time.
Swamped already?
[+] [-] Touche|12 years ago|reply
[+] [-] kmfrk|12 years ago|reply
[+] [-] hpoydar|12 years ago|reply
[+] [-] ExpendableGuy|12 years ago|reply
Has anyone else heard about eBay doing this? I have no way to edit it back to the way it was from what I can tell. It's infuriating -- they changed the word "Buyer" to "Seller" to make it sound like my reply to feedback was referring to myself.
[+] [-] UVB-76|12 years ago|reply
Seems rather prescient now. Their incompetence has just cost us all our personal information.
[1] http://www.cnbc.com/id/101467290
[+] [-] ericcholis|12 years ago|reply
[+] [-] twistedpair|12 years ago|reply