eBay Accounts Compromised
eBay is reporting that, due to the compromise of an employee account in late February/early March, all of their customers' data is possibly compromised. Their Press Release says "no evidence of any unauthorized access to financial or credit card information" was seen, but intruders got "eBay customers' name, encrypted password, email address, physical address, phone number and date of birth".
They say that "beginning later today [eBay] will be asking eBay users to change their passwords".
eBay Tells Users To Change Passwords
No longer a surprise when this happens, but hurts a little that they took 2 months to inform their users!
http://m.aljazeera.com/story/201452113462206983
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 1) by NullPtr on Wednesday May 21 2014, @08:11PM
Why? They needed to know if there was a problem, and anyone affected (no-one in this instance) should get their money back anyway. Just like if a bank suffers an attack like this.
Nothing to see here. Move along.
(Score: 2) by omoc on Wednesday May 21 2014, @08:12PM
Every week some service requires a password change, I have enough! I'll delete my Ebay account now. I just got an email from sourceforge and apparently they also want me to change my password. Salted hashes is nothing new which makes you think what kind of developers are in charge of such large sites.
(Score: 4, Informative) by Angry Jesus on Wednesday May 21 2014, @08:26PM
> Salted hashes is nothing new which makes you think what kind of developers are in charge of such large sites.
Unfortunately, salting isn't enough any more. That was good for rainbow table attacks, but nowadays GPUs are really, really, really fast.
Here's an analysis from nearly 3 years ago [ircmaxell.com] - for $2K it was feasible to naively brute force any 8 character salted password hashed with sha256.
(Score: 1) by e_armadillo on Wednesday May 21 2014, @08:47PM
I know my ignorance is showing here, so what's new? :-)
Does that mean we should start to fear these ASIC bitcoin miners as they become unfprofitable for bitcoin mining? Could they end up being brute force password cracking engines? I am not saying the miners would do this, but they will probably sell off their obsolete hardware as they move to faster, more profitable hardware.
"How are we gonna get out of here?" ... "We'll dig our way out!" ... "No, no, dig UP stupid!"
(Score: 2) by Angry Jesus on Wednesday May 21 2014, @09:05PM
> Does that mean we should start to fear these ASIC bitcoin miners as they become unfprofitable for bitcoin mining?
Depending on the value of whatever is on the other side of a password, we might have to worry about them now because of all the bitcoin cloud mining operations [google.com] that will lease cpu time on a large number of miners. That assumes that the target passwords are hashed with the same hash functions implemented in those ASICs. I don't know enough about mining ASICs to say if the engineers throw in other functions too, they might do that if it is essentially free.
(Score: 3, Informative) by kaszz on Wednesday May 21 2014, @09:35PM
ASIC has quite steep investment cost for any substantial changes. GPUs and FPGAs are a worse threat.
(Score: 2) by Angry Jesus on Wednesday May 21 2014, @09:42PM
> ASIC has quite steep investment cost for any substantial changes.
Right. I'm not talking a redesign, I'm talking about dropping in other hash algorithms from a library when the ASIC is first designed because there is free space available that would go unused otherwise.
(Score: 2) by kaszz on Wednesday May 21 2014, @11:59PM
I doubt there's any "free space" around. Die space is by the premium ($$) in that business. What can be done is a design using SRAM cells to allow enough reconfiguration. But it most likely won't cut it. That would mean a new design which is costly. But once done the chips can be "printed" on the cheap in large volumes.
(Score: 2) by kaszz on Wednesday May 21 2014, @08:26PM
Don't worry the Pointy Haired Boss will collect a replacement developer with the same skill set..
(no developer product will be better than the management can handle..)
(Score: 2, Funny) by LoRdTAW on Wednesday May 21 2014, @08:58PM
Salted hashes is nothing new which makes you think what kind of developers are in charge of such large sites.
Obviously they are on a low sodium diet.
(Score: 2) by SGT CAPSLOCK on Thursday May 22 2014, @05:13AM
Hey, good luck deleting your eBay account! I've been trying to get mine deleted for over a year now.
Sometimes I like to fill out their account deletion request form and just swear at them. It makes me feel good. Other times I like to tell them that I'm intently going to pursue breaking their EULA, or that I intend to use my account to scam people/etc.
Don't get me wrong - I was really nice to them for the first few requests, and I had a five star seller rating too. But then they ignored my account deletion requests, and continue to do so.
I even have a fake name/address/etc on my account now, but they still won't delete it. So, I wish you better luck than me!
(Score: 2) by omoc on Thursday May 22 2014, @07:04PM
You're doing something wrong, it's as simple as this:
http://cgi1.ebay.de/ws/eBayISAPI.dll?CloseAccount& guest=1 [cgi1.ebay.de]
(Score: 2) by SGT CAPSLOCK on Saturday May 24 2014, @05:11AM
Filling out that form responds:
We can't close your account at this time because:
Unfortunately, we can't close your account yet, because it has been suspended, restricted, or is otherwise not meeting minimum seller standards. Until you have resolved this matter, your account must remain open. If you would like to appeal your suspension or have an account reviewed by a member of our Trust & Safety team, please contact us.
---
My account is not locked, suspended, or anything like that, but something in their system thinks that it is. In fact, I have no messages, I have 100% positive feedback on a large amount of transactions, I have no outstanding fees, and I've never had any problems until I decided to close the account.
I can't be bothered to deal with their outsourced call center workers over the phone any more to try and figure it out. From what I understand (and nahh, I can't really understand them), they have no idea what's wrong either.
At one point I even went as far as to email privacy@ebay.com to tell them that I don't agree to their Terms of Service, EULA, Privacy Disclaimer, etc, and that I've posted my account's name and password on various forums [which was a lie]. They really don't care. It's still open. They just say to call customer support... again... and again... and again...
(Score: 3, Funny) by gallondr00nk on Wednesday May 21 2014, @08:13PM
Judging by the wording, it suggests that they only bothered with the password. I guess we'll find out over the coming days.
VEry poor. I shall have to leave negative feedback.
(Score: 1, Funny) by Anonymous Coward on Wednesday May 21 2014, @09:24PM
An A with only 6 plusses?
(Score: 1) by Buck Feta on Wednesday May 21 2014, @09:15PM
I'll just close my account instead of changing my password.
- fractious political commentary goes here -
(Score: 1, Insightful) by Anonymous Coward on Wednesday May 21 2014, @11:06PM
By closing your account, you're training companies like eBay that they should've just kept their collective mouths shut instead of informing users there was a breach.
(Score: 2, Insightful) by Buck Feta on Thursday May 22 2014, @01:55AM
By scolding your child you are teaching them not to get caught.
- fractious political commentary goes here -
(Score: 3, Insightful) by ancientt on Thursday May 22 2014, @01:33AM
In 2003 the US government started pushing for e-authentication systems that would allow you to sign into multiple (most) sites without having to maintain credentials for each site independently and more importantly, keep every site from having to keep user credentials secure.
I loathe having to use Facebook to log into a site, but I loathe having to set up new credentials on each site I want to participate in even more. With Slashdot I set up OpenID so that when I logged in, it required a response with my mobile phone and I happily showed off how that system worked. Now I have separate credentials to three home banking systems (with multiple credentials for some) and PayPal, eBay, Amazon, Yahoo and Google and I *care* about my security on those sites. I have about 50 others that I consider important, but not important enough to set multi-factor authentication up on.
What I want is what we were supposed to get starting in 2003, one single authentication system with strong security and multi-factor authentication for everything. What happened? (Rhetorical, I know what happened and it disgusts me.)
This post brought to you by Database Barbie
(Score: 0) by Anonymous Coward on Thursday May 22 2014, @04:38AM
Wait, you want the US government to develop a single sign-on system for you?
That's somewhere just around the level of Apple's iCloud keychain being announced the day after the Snowden shit hit the fan.
Wait, are you trolling? Because I honestly can't tell. Did I just fall for that?
Also, word is that the eBay hack was an inside job. With the right man on the inside, security is just an illusion.
(Score: 2) by ancientt on Thursday May 22 2014, @08:27PM
No, I wasn't advocating for the government to do it, just pointing out that they wanted private enterprise to do it more than ten years ago. I used OpenID with a couple of different companies and was pretty happy with it, particularly since they did MFA before even most of the big sites started to offer it. OpenID seems to have lost to Facebook as an authenticator, but I'm disappointed that there isn't something better that is succeeding.
This post brought to you by Database Barbie
(Score: 3, Interesting) by Ezber Bozmak on Thursday May 22 2014, @04:44AM
Well, I don't want a single authentication system. In real life we are each a different person depending on who we are talking too - the person you are to your children is not the same as the person you are to the people at work. Similarly the person I am to ebay is not the same person I am to amazon and neither are the same person I am to my bank. There is overlap but there are also unique distinctions.
Centralised identification is a terrible idea, even if it is made technically secure against breach (which I doubt given what an enormously high-value target it will become) because it magnifies the insecurity of data sharing. South Korea got just a taste of those problems when they mandated that all online accounts include a national-id number and "real name." They cancelled that [thenextweb.com] after realizing it was a major disincentive of free speech and increased vulnerability to identity-theft frauds.
(Score: 2) by ancientt on Thursday May 22 2014, @08:19PM
You're right of course, and I knew that was the case but it makes for a much longer post. Of course there should be more than one provider, probably dozens or even hundreds to choose from and of course I should be able to maintain separate identities. None of this is really new, and OpenID did that sort of thing. OpenID was flawed in other issues, but the idea was sound. When I set up an account with a site using OpenID, I still sometimes had to set up a username there and other info, but the authentication part was handled by OpenID rather than the site. So I had different IDs with different sites, and I used different OpenID providers as well. There are many nuances to what can be done, but what shouldn't have been done was having every site try to do their own security.
This post brought to you by Database Barbie
(Score: 1) by mr_bad_influence on Thursday May 22 2014, @07:59PM
The only problem I see with single sign-on authentication is if it should get compromised, the bad guys have the keys to everything in your kingdom.
(Score: 2) by ancientt on Thursday May 22 2014, @08:35PM
You're right about the danger. But I think the pro's outweigh the cons by a wide margin. One of the big pros is that single sign-on authentication means people who reuse passwords (and most people do) aren't relying on the weakest link. Another is that multi-factor authentication is easier to maintain and makes it tremendously harder for someone to use stolen credentials.
There is always a trade off between security and convenience. The fact that we're posting on the internet shows that we're willing to give up some security in exchange for the convenience of internet access. Most people will trade a lot of security for a little convenience, so one of the best ways to deal with that is to make it more convenient to use something likely to be more secure than to use something less secure.
This post brought to you by Database Barbie
(Score: 0) by Anonymous Coward on Thursday May 22 2014, @01:58PM
Apparently they've also implemented a new password cap, much like Paypal, that maxes at 20 characters. So yeah, for those who use password managers and 20+ character long passwords, adjust accordingly. Also, they say that they recommend symbols, but apparently some symbols don't work, as I created a new 20 character password with symbols (no spaces) and it complained that I shouldn't include white space. I suspect that error was either thrown because of the quotation mark in the password (God help us if they're storing their passwords in plaintext for even a few moments) or the fact that I didn't realize the password cap before I typed it in (which they don't let you know of beforehand). Plus, they've disabled copy and paste passwords for the password change, even though you can still copy/paste from a manager to log in, so your mileage may vary on that one. I know 20 is pretty stonking secure for an online attack, and since I change all my passwords on a monthly schedule, they would (most likely) have no chance to be cracked within that time, but it's still pretty annoying when they don't explicitly tell you.