eBay finally prompts users to change passwords after huge data breach

Notice begins to appear on home page of <i>ebay.com</i>

eBay on Friday put a notice on its home page urging users to change their passwords after security experts had criticized the auction site for failing to promptly alert customers about a massive break-in and data theft.

The notice, which includes a link to the password reset process, was part of the advice eBay had given its users on Wednesday to immediately change their passwords.

That same day eBay announced a huge data breach in late February and early March. Hackers made off with the user database, which contained names, email and street addresses, phone numbers and passwords for an estimated 145 million eBay users. eBay said that the user information was encrypted.

The attackers compromised a "small number of employee log-in credentials," eBay said, to gain access to its network, then scoured the firm's systems before making off with the database. The San Jose, Calif. company discovered the break-in earlier this month.

"Take a moment to change your password," said Devin Wening, president of eBay Marketplaces, in a notice on the website. "This will help further protect you; it's always a good practice to periodically update your password."

Wening also urged customers to change passwords on other sites if they had reused the one for eBay.

Graham Cluley, a prominent security blogger who previously worked for U.K. security company Sophos, has been critical of eBay's slow reaction to the break-in, particularly the lack of a change-password notice on the Marketplace home page.

"If you're one of the world's top websites, and hackers broke in a couple of months ago, making off with a database of your users, wouldn't it make good sense to make sure that users visiting your website were clearly informed as to what was going on?" Cluley asked on his blog Wednesday. "And wouldn't it be good if you provided an easy link where people could reset their passwords?"

Cluley and others slammed eBay for not prompting users to change their passwords, for not emailing them as it had promised, and for making it difficult to switch to a new password.

Computerworld encountered problems changing passwords on eBay as well; in one password-reset section, eBay's site would not let staffers paste in new passwords generated by 1Password, a popular Mac password manager.

Today, Cluley said that he had seen the change-password message on the U.K. version of eBay yesterday. "But I know other countries have taken longer," he said in an email. "Their response time has hardly been impressive."

eBay has published an FAQ about the break-in on its corporate website.

eBay finally put a change-password notice on its website to prompt users to create new credentials after a massive data breach months earlier.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and Hackinge-commerceebayinternete-business

More about AppleeBayGoogleMicrosoftSophosTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts