Slashdot Mirror
eBay Compromised
New submitter bobsta22 (583801) writes "eBay has suffered a security compromise requiring them to have all users change their passwords. As yet only a press release. Lets hope there's more juice on this."
From the press release: "Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said. ... The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago."
what, no link to the press release?
"For I am a Bear of Very Little Brain, and Long Words Bother Me"
A major news story, about a ginormous compromise gets published on Slashdot and there is NO source or link?
Sig it.
How much you want to bet they have been sitting on this? Probably waited until X number of people were compromised and they couldn't cover it up any longer.
Things like this would not happen if security policies were in place to force password changes.
Why are companies the size of eBay still using passwords for their internal systems? FFS, it's amateur hour wherever you look.
Got to love a major ecommerce vendor who can't even get THAT right!
At some point, that has to count as negligence, and some sort of liability ought to attach.
I just went to ebay and logged in, and was surprised to see nothing regarding this on their main page. How do they expect most people to see this!?
As said in the article -> 2 weeks (or more)
So they didn't get payment information, but they got everything they needed to apply for credit in your name. Perfect. It took me an hour to buy my last laptop in a retail store with my credit card in my hand because my card company was so totally paranoid about fraud that they put me through the third degree to ensure I was who I said I was. And it's just going to get worse.
At this rate cash will be king again. Oh no, wait, that can be fraudulent too. Essentially, it is getting impossible to spend your own money.
I am not interested in articles about life extension advancements.
If eBay US was using a static salt like eBay Japan was, this is a big deal. If they were using a proper (random) salt, and a strong hash, it's not that big of a deal. Does anyone have any idea how eBay hashes the passwords?
I'm not worried about it if they were doing something like:
UPDATE user SET password= ENCRYPT(password, CONCAT('$5$' , uuid(), '$')
http://money.cnn.com/2014/05/2...
Just one more company giving one more reason why corporations should not be allowed to store personal information beyond what is absolutely necessary. Birthday would not necessarily need to be stored anyplace directly accessible, unless it was legally required but could instead be replaced by a flag for "above 13", "above 18", "above 21". If they absolutely needed to have the birthday for representation or audit purposes it could be stored in an offline version that could be brought online as needed.
In the end, efficiency was prioritized over the need to secure personally identifiable information (PII). eBay should not have stored so much PII in the same database, it should have been stored separately and linked on retrieval.
Sadly, security requirements being ignored or missed during design is a commonplace occurrence and they don't get fixed until something like this brings them to light.
Would hack again!
Seems the people at eBay are completely losers, thanx to slashdot I just had a chat with the support at the UK eBay, they confirmed that I should change my password for my own safety, but NO fucking reply why there is no announcement on the local (ie. UK) site. They just only know well to milk their customers (Paypal) too with their fees.
The top management of eBay is going, "OK, the hackers got in, stole the credentials, but what can they do with it? What good does it do to them? They got to sell it in eBay, right? It is in their own interest we stay afloat to provide them sheep for fleecing right? So we are likely to survive till I make bonus right? After we get our boni who cares what happens to the company? I should be able to find another company to wreck next year".
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Email Spam has been coming to my email preferenced through ebay with my username in the subject line for about a week or so. A lot of Costco and Walmart stuff that never used to show up. We will find you fucking hackers wherever you are.
I've used eBay for years, with a few clicks it's easy to find anyone's information (username, address, phone number, etc) - Sure, you can't just outright search for someone's profile with that information on there, but you can still very easily find information just a few clicks deep.
Next people will be up in arms over the Whois database having their addresses and phone numbers available to EVERYONE on the INTERNET!!!
I wonder if the attackers used a NSA backdoor ?
http://www.ebayinc.com/in_the_...
The personal information screen shows me the length of my password, in asterisks. They wouldn't know how long my password is if they were storing it securely.
It's OK to write down your password. Just keep the card in your wallet instead of on your monitor. You probably already keep a piece of plastic with your credit card number on it in the same wallet anyway.
Why do these companies repeatedly store only *some* of my personal information encrypted? I'm getting really tired of these people leaking my home address, phone number, email address, birthday, etc. That is all information that can be used to impersonate me and gain access to other accounts, etc. At the very least, it leads to piles of annoying SPAM.
The PCI standards (see https://www dot pcisecuritystandards dot org/ ) require that sensitive information, such as credit card numbers, be stored encrypted. I really wish the feds would just require that *all* personal information be treated as "sensitive" and appropriately encrypted, audited, etc.
Still waiting to hear about how awful it is for cyber-attackers to go in and steal stuff that will enable further stealing from millions of users; you know, the working types who just want to buy and transact each day and go about their business.
"eBay's awful, PayPal's awful, blah blah blah. Guy Fawkes masks are cool, Marx and Che are cool, so is to sticking it to the corporations. Ha ha the companies should hire me because I know better than their dumb their security people doing dumb security stuff."
How many slashdotters worship all the cool haxxorz that keep causing losses in the millions and billions each year? And no standing up for the basic principle of not stealing. Ultimately that's the working man they're stealing from because a) identity theft hits everyone from the top to the bottom of the income scale, and b) the working man's 401k is staked on corporate profits.
"Now, I doubt any of you would prefer a rolled up newspaper as a weapon against a dictator or a criminal intruder."
As per my usual, my eBay account has all fake information and a throw-away password. eBay often tells me to make it stronger, but it's ironic, because had I of actually used a strong "normal" password (one of my strong ones I can remember), it would now have been possibly compromised.
I think this might be an argument for using crap usernames/passwords for sites you don't trust (which is most of them), because chances are, they're going to leak your information at some point.
I was wrong. They are always showing eight asterisks. It's not the length of your password unless your password is eight characters.
I lost my paypall password years ago.
Maybe if I get the hash I can crack it myself.
Sounds like someone duped an employee into revealing their login/password; they might even have used a keylogger to capture it. Where have we heard that before?
I already use cash if I can't eyeball the person swiping the card or swipe it myself.
Maybe we should go back to cash and checks.
I've been in IT since 1999 as a pro and 1982 as a hobbyist, and I give up -- The System cannot be trusted. NSA reading my crap, companies being negligent / careless / indifferent with private / financial data .. script kiddies and organized crims.. enough!
The "Civilized World" jumped the shark ca. 1973.
Whenever this happens I will now think of the Adobe password breach ... 130million accounts.
roughly 10% of those had "123456" as their password..
you can see the other top 99 herE: http://stricture-group.com/fil... ..probably a good time to reconsider the re-use of passwords.. use a password vault....
Who's with me?
Are they following the required procedures in each jurisdiction?
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
These laws seem both plentiful, varied and complex. I hope their coporate legal department wasn't planning on sleep for a few months.
I wonder just how much info an attacker could have obtained?
eBay and PayPal used to offer security tokens to provide one-time PINs to be used at login. They were offered as either physical tokens or as smartphone apps. I just tried to look for them on the eBay and PayPal sites, but I no longer see any mention of them. Have they stopped supporting the tokens?
PayPal now just appears to offer something called PayPal Security Key in which they send OTPs via SMS, and I don't see anything like that on the eBay site.
I get emails from Ebay all the time recommending I change my password. They even provide a handy link in the email for me to click on.
I kind of had tunnel vision there, didn't I. That comes from 17 yeas of focusing on protecting passwords for a living.
The hackers gained access to " name, [...], physical address, phone number and date of birth"
But they "did not [access] other confidential personal information"
What other personal information is there on the planet? Your name, address and DOB is pretty much everything needed for identify theft.
Okay - I guess they didn't get Health records. Seriously though - what "other confidential information" does eBay store?
just logged into my ebay acct. and there's NOTHING in the communications there either.
Yes, I just logged on and don't see anything on their login page. Odd; you'd think that this would be the first place they'd put a note.
It's also very obscure how to change your e-bay password. You can do it... but it's buried way down in menus inside menus.
Maybe they're waiting until they can rewrite their login page to put the "change password" menu somewhere that an average user can actually FIND it.
http://www.geoffreylandis.com
This is the THIRD time this month I've had to change my date of birth due to compromised website.
Password: now changed.
Date of birth: changed, new birth certificate acquired.
Home address: moving house tomorrow.
"If you think the problem is bad now, just wait until we've solved it." --- Arthur Kasspe
And ebay wants me to type in my full credit card/bank account information to verify my identity. No, this doesn't look like a phishing attempt at all. Even if it's legit, it's bad form.
If you were me, you'd be good lookin'. - six string samurai
Let's assume they are using a good salt. With more than 64 bits of entropy, that means the bad guy has to crack one password at a time. That's critically important.
Ebay currently requires that passwords have uppercase, lower case, and number or punctuation, so lets say a typical password is about 60 bits of entropy*. (That's a rough guess). So we have roughly 1 X 10^18 passwords to try.
As I recall, crypt() defaults to 110,000 rounds, so we can crypt($5$) about 4,000,000 times per second.
So how many seconds will it take to try all of the passwords?
1 X 10^18 / 4 X 10^6 = 2.5 X 10^11 = 250,000,000,000 seconds
On average, we'll need to try half of the passwords to get the right one, so we'll need 125,000,000,000 seconds.
125,000,000,000 / 3600 = 34,722,222 hours
34,722,222 / 24 = 1,446,759
3963 years
I'm happy with 3,963 years per password.
That assumes 60 bits of entropy in the password - a decently good password. With a 50 bit password, it would be three years per password - still not too feasible for a Paypal password. A 40 bit password would fall in about 33 hours, if I did that bit of math right. That's still kind of high, but certainly doable - you just won't get very many people's passwords.
It seems to me that when using good salt, so the bad guy has to attack one password a time, and a reasonably good password, SHA256 is definitely not too fast to be secure.
I guess I better change my PayPal password just to be on the safe side. Thank God for KeePass.
I'm getting so tired of these. It seems like every few months now I'm getting affected by one. Last year my bank replaced my debit card three times (Adobe breach, Target breach, and who knows what the third one was)! Consequently, I'm no longer using my debit card as a debit card, but only at ATMs. I use my credit card for any card-based purchases now. But it doesn't stop. You name it: zappos breach, dropbox breach, a breach at an old community college I attended years ago, and probably others that I've forgotten about in the last year or two. Fuck me running.
By the way, the stories about this breach claim that no financial data was compromised. That's fine, except that the data that was compromised may be used for identity theft: your name, date of birth, and street address. I'm pretty much getting ready to use the option that the credit reporting agencies offer to lock down my credit so that no one can obtain credit in my name without me unlocking it. It's a pain, but I don't think it's a choice anymore at the rate these breaches are going.
Should users really rush to change their passwords on an insecure site? I don't quite see the points of a PW change until ebay has changed their security precautions. As the customers, we should demand that THEY change their practices before doing anything. Otherwise we'll be throwing hackers another bone.
Ebay's silence on this matter is completely unacceptable. Do we really know that credit card info wasn't stolen? They've sealed their lips about all of this so far, because if card numbers were compromised, they would be the demons of the week and permanently have their names tarnished.
It's nice that "no financial information" got compromised, but with my name, address, and date of birth, the crackers won't have any trouble accessing credit in my name. Sigh. Looks like I'm going to have to activate credit monitoring. If eBay has any sense, it'll offer that service for free for everyone whose data was vulnerable.
I hadn't changed my eBay password since I created my account, circa 1998, and it was 8 characters long all lower case. Replaced it with something more robust.
It is awful to steal from millions of users. Users have two options: transact business with a business and entrust their data into the business's protection or shun a business. Let us say that your argument is correct, and it is in the best interest of the working man to transact business with a business and entrust his data into the business's protection because that benefits to business and hence the working man's 401k account. Would it not be reasonable for that working man to then be angry at Ebay for not following pretty basic practices to protect this data, such as telling him about it immediately, encrypting his personally-identifiable data and protecting their network.
I present an alternative view: it is unwise for the working man to tie his worth to the worth of those who do not have his interests in mind. It is wiser for the working man to not spend his money on bolstering the economy by buying unnecessary items from companies that do not have his personal wellbeing in mind. It is better for him to live well within his means and not rely on a 401k.
There's a lot of stealing going on in the world, and most Slashdotters do not stand up for stealing. They do stand up for basic practices that everyone entrusted with someone else's data should follow if they cared at all for that other person's wellbeing. Ebay does not care for our wellbeing (this should not be news). Every reminder of such will anger some people here.
Next for the attackers is emails to the accounts phishing for PayPal account info - things like "A charge has been made on your paypal account, click here to cancel". I got one like that today, and the publicity is going to make people hyper sensitive to anything eBay related. This is going to be messy.
So the password I was using had 113 bits of entropy. Does anyone know the likelihood this can be cracked?
Or is it pretty safe given that most people will have easier to break passwords?
Accounts' passwords expired and have to be changed. :/
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
On it's front page, oclHashcat says it can run sha256() 11 million (not billion) times per second on a GPU. That's reasonably close to what I get.
crypt($5$) is 110,000 rounds of sha256(). Therefore, hashcat can run crypt($5$) 100 times per second.
You thought "easily check over 10 billion hashes a second", hashcat's web page says 100 per second. Doing 110,000 rounds instead of one matters, and of course there's the little confusion between million and billion.
I can't remember if ebay has security questions, but if it does, that could compromise your other accounts that also have security questions.
I present an alternative view: it is unwise for the working man to tie his worth to the worth of those who do not have his interests in mind. It is wiser for the working man to not spend his money on bolstering the economy by buying unnecessary items from companies that do not have his personal wellbeing in mind. It is better for him to live well within his means and not rely on a 401k.
Your alternate view is one I agree with fully. I practice this one myself. Regarding their practices, I also agree putting more responsibility on them for their handling is appropriate, considering all the factors. Point well taken. Thank you.
"Now, I doubt any of you would prefer a rolled up newspaper as a weapon against a dictator or a criminal intruder."
Tried to change my ebay password and got this:
Page not available
Ebay is asking its users to reset their passwords due to the unauthorized access to our corporate information network. This may result in a delay of service due to the high traffic volume. We ask for your patience and that you return to eBay soon. In the meantime, please be assured that no activity can occur on your account until your password is reset.
Avoiding the word "billion" because it means different things in different countries ...
> oclHashcat's fron page says 11231M c/s for SHA256
Yes, I should get some sleep. Divide that by 110,000 rounds, you get 102,100 hashes ($5$) per second. A bit higher than 100, and a bit lower than 10 billion. For any definition of billion. :)
Note my original calculation assumed 4 million hashes per second. With the oclHashcat numbers, we're looking at 160,000 years per password, for a reasonably good password.
If the user then set their password to the very minimum that eBay will allow, that could of course end up badly. Password1234 is going to get cracked no matter how you hash it.
Hmm, I see there is a competition going on for a new hash function. Robert Morris created crypt(3). His son, Robert T Morris, created the Morris worm. It might be time for Ray Morris to become known beyond the 50,000 sites or so that use our existing security solutions.
They are talking about encryption and everyone assumes they are hashed. Are they hashed somehow or really, as they say encrypted. That is the question.
Comment removed based on user account deletion
Comment removed based on user account deletion
If you try to change your ebay contact email, you get a notification sent to you that a request from a particular IP address is trying to change your contact email... only that IP has nothing to do with Ebay, nor with you. It's from all over the world and changes each time. Dunno if it's just a bug or a pervasive MITM attack, or fixed by now. Easy to duplicate though. I sent Ebay all sorts of info about it, and they were utterly hopeless.
This is obviously not a big deal.
How can all these companies keep f***ing up and not pay their users compensation. I would suggest $10 per user impacted would work. Watch the security get beefed up. If a bank messes up, you get a payment.
No mention in TFA. That's a non-trivial piece of data.
I just tried to change my password on paypal, it's the usual where you can't see the password your typing and you have to type it twice.
Now, normally this wouldn't bother me because I use a random password generator to come up with something like 9rf3-3f0g6#p6ebIn!Hg.
Except paypal says I can't paste the password in, I have to motherfukking type that long complicated shit in TWICE. FFS.
So, I didn't change my password, well done Paypal you stupid fucking idiots.
Thank fuck eBay doesn't do this.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.