Author Topic: Yet another security breach - this time it's eBay... (Read 2287 times)

Paddy · « **on:** May 21, 2014, 12:09:56 PM »

http://www.techhive.com/article/2157604/eb...s-breached.html

It's time to do the happy (not) dance yet again.

All I can say is that I'd be lost without 1Password at this point. 300+ passwords (many for clients' sites) and counting...

Xairbusdriver · « **Reply #1 on:** May 21, 2014, 02:55:49 PM »

I says enjoy the statements from the hacked company reassuring us that they found no evidence of other data being tampered with or stolen.

Yeah. Right. BTW, wouldn't it have been better to say "We discovered attempts to steal your data but our security systems prevented the hacker from even finding it, much less seeing or taking it.' I'm jist sayin'

kimmer · « **Reply #2 on:** May 21, 2014, 05:07:40 PM »

Thanks for this link, Paddy, as I've not yet received a notice from ebay, and when I logged in there this am, there wasn't a message or alert greeting me.

I found this portion of their statement disconcerting:

"...no evidence of the compromise resulting in unauthorized activity for eBay users" BUT ... "The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth."

So if the user has logged in with real name, real physical address (both necessary to pay and buy), real phone number and your actual date of birth -- you are ripe for identity theft. Wouldn't necessarily occur at ebay, but other places. This is why I never, ever, use my true birthdate at places like this. So thankful that I can record my registration info in the comments box in 1Password login for sites. I'd be horribly confused if I had to remember all the ~~lies~~ ... ~~stretching of truth~~ ... id protection answers I've used.

Paddy · « **Reply #3 on:** May 21, 2014, 10:56:49 PM »

I do find it odd that eBay hasn't put a BIG NOTICE on their front page OR sent out any emails as of yet. There's just a posting on their "Announcements" page:

http://announcements.ebay.com

If they hadn't issued a press release which MacWorld featured, I probably wouldn't have known about it. I had changed my PW in March, but since the breach occurred in Feb. & March I changed it yet again.

Xairbusdriver · « **Reply #4 on:** May 22, 2014, 10:44:34 AM »

Seems I only created an account in Feb of this year. And the email, eBay ID or password didn't work. Had them send me an email (apparently that was correct) and that allowed me to change the old password. That's all I wanted/needed to do anyway. Still not sure why I even have an account. Although I did offer something for sale several years ago...

Now I'm just hoping the email was actually sent fro eBay and not some crafty hacker...

If it is fake, they have a nice looking rip-off site!

Tried my wife's account, it doesn't work, either. I suppose it's possible that eBay has simply deleted everyones password and is forcing the email renewal method...

Paddy · « **Reply #5 on:** May 23, 2014, 08:34:40 PM »

QUOTE(Xairbusdriver @ May 22 2014, 11:44 AM) <{POST_SNAPBACK}>

Seems I only created an account in Feb of this year. And the email, eBay ID or password didn't work. Had them send me an email (apparently that was correct) and that allowed me to change the old password. That's all I wanted/needed to do anyway. Still not sure why I even have an account. Although I did offer something for sale several years ago...

Now I'm just hoping the email was actually sent fro eBay and not some crafty hacker...

If it is fake, they have a nice looking rip-off site!

Tried my wife's account, it doesn't work, either. I suppose it's possible that eBay has simply deleted everyones password and is forcing the email renewal method...

Don't think they've done anything like that, Jim - my password certainly worked and I changed it a couple of days ago and that one continues to work.

Seems I'm not the only person who noticed eBay's stunning lack of response/notification of this breach:

http://www.wired.com/2014/05/ebay-demonstr...ge-data-breach/

Xairbusdriver · « **Reply #6 on:** May 23, 2014, 09:00:31 PM »

Well, I was only hopefully "supposing". It turned out I was simply using an incorrect password for her. Still not sure why mine was problematic. Probably not a bad idea to "close" my account, assuming that would actually delete my info...

Sooz · « **Reply #7 on:** May 25, 2014, 12:29:24 AM »

I received absolutely no notice or emails from eBay about this issue.

What do you all think of "1Password" versus "Lastpass" or other free options?

BTW, I don't recall having to give my birth date to eBay, but it's been a while.

I did, however, go to eBay and changed my PW. When I signed in, I saw the https and the little lock icon, but once I was past that point and into eBay, the https and the icon disappeared. Is that something worrisome or normal, once I'm in the site?

Smiles,
Sooz

Xairbusdriver · « **Reply #8 on:** May 25, 2014, 09:53:56 AM »

I highly recommend 1Password and have since they first started a dozen or so years ago. Well tested, reliable, secure and helpfull and fast support if you ever need it. Others have had good luck with Lastpass. Frankly, I'd stay away from most free apps when it comes to passwords and their generation and storage. It takes a certain amount of resources to create, test, develope, re-test, find bugs, test, etc., how many people can do that, by themselves, without pay? Some open source groups cN do this with some apps. Why take the chance?

buy and, more importantly, use a well known and supported app.

httpS is not really needed for most sites after you've logged in. However, any time you need to enter personal or financial info, you should see those icons and the other security indications. I think we should seriously consider where and why we spread/share our personal/financial data. Does the site requiring it really need it? Do we plan on using that site at least once a (insert your frequency here)? Why do I trust this site/company?

Xairbusdriver · « **Reply #9 on:** May 26, 2014, 09:00:19 AM »

You should be getting your "Please Reset Your Password" email from eBay any minute, it's probably in your mailbox now. There are remote images, which I find slightly strange; surely they have enough storage space for their own images. However, there are no links in the message which is encouraging and help persuade me that it is valid. I suppose the delay was finding enough bandwidth for the extremely heavy CSS and html garbage used to end up making the message so plain and simple! They are probably using a 'Basic' email subscription service that allows only a few hundred messages per hour (with size limits, of course) for the first few months...

Xairbusdriver · « **Reply #10 on:** May 26, 2014, 09:04:44 PM »

Always a target because they are the arch enemy, the security app company, Avast, has been hacked. Here's part of the email from them with advice for everyone concerning passwords and how not to use them (emphasis added):

QUOTE

The AVAST forum is currently offline and will remain so for a brief period. It was hacked over this past weekend and user nicknames, user names, email addresses and hashed (one-way encrypted) passwords were compromised. Even though the passwords were hashed, it could be possible for a sophisticated thief to derive many of the passwords. If you use the same password and user names to log into any other sites, please change those passwords immediately. Once our forum is back online, all users will be required to set new passwords as the compromised passwords will no longer work.

And the correct behavior of any site that is hacked is also mentioned. Are you listening/reading eBay?

Fortunately(?) the hack was not of the software owned/built/maintained by Avast, instead, it was the third-party (not identified) forum software that was compromised. If this is true it means any other site that uses that software may be vulnerable.

Sooz · « **Reply #11 on:** May 27, 2014, 01:08:47 PM »

Thanks for the reply, XAirbee!

The "please reset your password" email message from eBay was NOT sent to my email address, but instead, was found in my "Messages" folder on eBay. I seldom go to eBay and would have missed it entirely had I not heard about the breach of security on the news. eBay seems to have dropped the ball in number of ways!

Smiles,
Sooz

Paddy · « **Reply #12 on:** May 27, 2014, 02:00:24 PM »

I got an email from eBay this morning - a mere 6 days after I'd already reset my password.

As for the Avast forums, in the PCWorld article, they have this to say:

QUOTE

Steckler wrote the forum was hosted on an isolated, third-party platform for many years. Avast plans to rebuild the forum using a new software platform, which will be faster and more secure.

So it wasn't one of the popular forum software platforms out there...

Xairbusdriver · « **Reply #13 on:** May 27, 2014, 02:31:01 PM »

QUOTE

So it wasn't one of the popular forum software platforms out there...

That was kind of worrisome to me, also. I suppose the developers of that SW have made changes and promised to refund the last subscription fee to Avast!

Of course, Avast may not have followed standard procedure by keeping such software up-to-date... oh... wait...

Sooz · « **Reply #14 on:** May 28, 2014, 01:12:49 AM »

Well, well, well--about an hour ago I received an email to my email account from eBay, about changing my password.

I am channeling my inner Gomer Pyle and thinking "Surprise surprise surprise!"

Smiles,
Sooz

News:

Author Topic: Yet another security breach - this time it's eBay... (Read 2287 times)