eBay

Here’s an email I’ve just got from Devin Wenig, eBay marketplaces president (emphasizes are mine):

IMPORTANT: PASSWORD UPDATE

Dear eBay Member,

To help ensure customers’ trust and security on eBay, I am asking all eBay users to change their passwords.

Here’s why: Recently, our company discovered a cyberattack on our corporate information network. This attack compromised a database containing eBay user passwords.

What’s important for you to know: We have no evidence that your financial information was accessed or compromised. And your password was encrypted.

What I ask of you:
Go to eBay and change your password. Changing your password may be inconvenient. I realize that. We are doing everything we can to protect your data and changing your password is an extra precautionary step, in addition to the other security measures we have in place.

If you have only visited eBay as a guest user, we do not have a password on file.

If you used the same eBay password on any other site, I encourage you to change your password on those sites too. And if you are a PayPal user, we have no evidence that this attack affected your PayPal account or any PayPal financial information, which is encrypted and stored on a separate secure network.

Here are other steps we are taking:
As always, we have strong protections in place for both buyers and sellers in the event of any unauthorized activity on your account.
We are applying additional security to protect our customers.
We are working with law enforcement and leading security experts to aggressively investigate the matter.

Here’s what we know: This attack occurred between late February and early March and resulted in unauthorized access to a database of eBay users that includes customers’ name, encrypted password, email address, physical address, phone number and date of birth.

However, the file did not contain financial information. And, after conducting extensive testing and analysis of our systems, we have no evidence that any customer financial or credit card information was involved. We also have no indication of a significant spike in fraudulent activity on our site.

We apologize for any inconvenience or concern that this situation may cause you. As a global marketplace, nothing is more important to eBay than the security and trust of our customers. We know our customers have high expectations of us, and we are committed to ensuring a safe and secure online experience for you on any connected device.

Devin Wenig
President, eBay Marketplaces

And these are my unanswered questions:

1. Why do you ask me to change my password?

If the passwords are encrypted using a 1-way hashing algorithm, as they should, why should I need to worry? No one, including the hacker, can impersonate on behalf of me (that is, if they couldn’t do it before, given the fact that they hacked the customer database of the f***ing biggest merchant in the world).

Oh, I know why – because if the hashing algorithm is common, the hackers can use rainbow tables and reverse engineer my password. But wait a second – that’s what salts are for! You did salt my password in addition to hashing it, didn’t you? didn’t you? and if you did hash and salt – why should I be afraid? I have no technical reason to do that. Maybe only some psychological relief).

And what about my secret question and answer? have they been stolen too? plain text or hashed and salted? I really hope the answer was hashed and salted, or else the hackers would have another piece of highly valuable information about me.

2. Why the heck do you need my date of birth?

I get it, you need my address and phone number. But why do you need a date of birth? just to hold another marketing information about me? the prize for the hackers is another piece of valuable information – they can trade it to spammers that will then increase the flood of rubbish I get. If this is a legal requirement, why didn’t you settle for just a birth year?

3. Was my credit card information stolen or not?

You use evasive phrasing: “we have no evidence that … credit card information was involved”.

Was it or wasn’t it?

I have no evidence that Usain Bolt will beat me in a 100m run. Does that mean I will? Don’t be elusive. Invest everything you can (sorry, that probably also means cut down your fat profit) and be definitive!

4. How did the hack occur and what steps have you taken to prevent future attacks?

Among all the mumble jumble that you wrote, there’s one thing missing: how did the hack occur. You want to be transparent and apologetic? elaborate on exactly how the hack took place, why did it take you so long to discover it and what steps have you taken to prevent similar (and other) hacks from occurring in the future. Rumors say it was a social engineering attack on some of your employees. Is it true? thanks to the attack, the hackers (and their dodgy clients) now have more means to social engineer us – after all, they can now associate our name, email, address, phone number and date of birth (and maybe the answer to our secret question). So if you were victims to a social engineering attack – come on, tell us. Don’t be shy. You owe us!

eBay, you f***ked up (sorry dear readers, I could have definitely use the clear word here and above. I just don’t want it to hurt the SEO ranking of this page). It doesn’t happen only to you, but for a company with such a big turnover, I expected something else. We expected something else.

eBay, You Disappointed Us Badly
  • Ebay has ordered Lithium to remove threads from their Seller Central discussion board about the recent hacking and/or relocate some of them to an obscure technical questions eBay discussion board (a moderator explained this yesterday in a post to a question about why the threads were disappearing from SC after half a dozen or more threads about the hacking had disappeared). Today, my posting ID received a 7-day ban and the following message from eBay: “We’re sorry, but you have been banned from using this site. nYou have been banned for the following reason: nViolating the rules and policies of the eBay US Community, with actions such as Repetitive, disruptive, or inappropriate threads. Your ban is for 7 days, effective date 2014-05-23. Your Topics: Hacking of Ebay: What Will The Longterm Impact Be On Ebay? & Recent Hacking of Ebay Is A Publicity Nightmare & Why Did eBay Ask Lithium To Move Hacking Threads to Other Boards? & post “True John. Let’s keep those threads about the hacking going here on SC. Make the mods earn their paychecks.” Please refer to the Discussion Boards Usage Policy and the Community Content Policy to review the rules and policies of the community. Additionally, please adhere to these rules and policies in the future. If you feel your ban was in error, contact [email protected]. nYou have 10006 minutes remaining on the ban.” What is eBay afraid their users are going to find out???

  • Menachem Began

    Just to safe, I’ve changed not only my eBay password, but I’ve also changed my name and date of birth. One can’t be too careful.

  • Tony

    You’ve got a bit of a kink in your think with point 1.nnIf you lose your database, passwords can still be recovered. Even if you hash, uniquely salt and key stretch, and force your users to use complex passwords, you are subject to the attackers doing brute force and dictionary, distributing that over the cloud or their associates, and using hardware acceleration.nnYou just slow them down.nnSo even at a ludicrously slow crack rate, eBay still is obliged to inform their customers, and strongly encourage them to change their passwords.nnThe OWASP Password Storage Cheat Sheet has good info, including assuming eventual compromise. eBay might have failed to protect the storage, and failed to let us know in good time, but asking us to reset is prudent.nnThe secret question stuff: commonly this info is stored in the same database – a collection of all the credentials, stored separately from the rest of your data. If these are encrypted (different from hashing) then they are hard but not impossible to recover. It’s perhaps prudent to assume that the crypto key for the secret question (and answer) was stolen as well, and so must be changed.nnI’m guessing on a few points, but solid on the fact that even hashed and uniqely salted, your passwords are recoverable.

  • Tom

    Some very valid points, particularly in regards to companies collecting ‘marketing’ data that has no impact on the service they provide. Would like to see these big online providers be more transparent with their activities.

Enter my mailing list to get high quality full-stack updates directly to your inbox. Just pure content.

I will never spam you and never share your email address.

x