Slashdot Mirror

← Back to Stories (view on slashdot.org)

eBay Compromised

Posted by Unknown on from the ebay-passwords-show-up-in-ebay-auction dept.

New submitter bobsta22 (583801) writes "eBay has suffered a security compromise requiring them to have all users change their passwords. As yet only a press release. Lets hope there's more juice on this." From the press release: "Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said. ... The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago."

37 of 193 comments (clear)

  1. link? by Imabug · · Score: 2

    what, no link to the press release?

    --
    "For I am a Bear of Very Little Brain, and Long Words Bother Me"
    1. Re:link? by ZiakII · · Score: 5, Informative

      Better yet, just logged into my ebay acct. and there's NOTHING in the communications there either.

      Slashdot, now with less actual news and information, but nearly 100% sensational!

      I understand reading is hard so I highlighted the important parts for you.

      eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data.

    2. Re:link? by Anonymous Coward · · Score: 2, Insightful

      Wow, I realize he's using big words, but you understand what "later today" means, right? So, of course there are no alerts in your account. Reading is hard.

    3. Re:link? by jeffmflanagan · · Score: 3, Insightful

      You seem badly broken retech. Your posts indicate that you mistakenly believe that this is some kind of hoax, and you called a person who pointed out your error an asshole. It's clear that someone here is an asshole, but it isn't ziakll.

  2. So... by AbbyNormal · · Score: 2

    A major news story, about a ginormous compromise gets published on Slashdot and there is NO source or link?

    --
    Sig it.
    1. Re:So... by MightyMartian · · Score: 3, Funny

      Wait for the dupes.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
  3. Since February and just now hearing about it?! by sbrown123 · · Score: 2

    How much you want to bet they have been sitting on this? Probably waited until X number of people were compromised and they couldn't cover it up any longer.

    1. Re:Since February and just now hearing about it?! by WWJohnBrowningDo · · Score: 4, Funny

      What probably happened is that they got compromised, and then whoever compromised it tried to sell the account information to the highest bidder.

      "3 Million Stolen Ebay Accounts BNIB FREE SHIPPING NR US SELLER L@@K"

    2. Re:Since February and just now hearing about it?! by Sockatume · · Score: 3, Informative

      That's a dangerous game. There's a legal precedent that they could be fined as much as one hundred thousand pounds in UK court for data protection breaches. It could take them days to find that much money in the sofa.

      --
      No kidding!!! What do you say at this point?
  4. Wow, pasword security policy fail by anolisporcatus · · Score: 2

    Things like this would not happen if security policies were in place to force password changes.

    1. Re:Wow, pasword security policy fail by radiumsoup · · Score: 3, Insightful

      yes, they would. keyloggers don't care how old your password is, nor does social engineering.

    2. Re:Wow, pasword security policy fail by K.+S.+Kyosuke · · Score: 2

      They probably also wouldn't happen if eBay used database systems with per-column access privileges. (Why should human accounts to any business software regularly need access to masses of encrypted password data?)

      --
      Ezekiel 23:20
    3. Re:Wow, pasword security policy fail by Anonymous Coward · · Score: 3, Interesting

      Yes, it is very difficult when you know the previous password was "superman1" to guess what tomorrow's password will be. Or, if you got creative, if last month's password was "g0dOctober", I can only guess what November's password will be.

      After that, I just write it on a stick note for my monitor, cuz ain't nobody got time for your crazy password schemes.

    4. Re:Wow, pasword security policy fail by Anonymous Coward · · Score: 3, Insightful

      Working for another large company that enforces a password change policy, i can tell you that it leads to less secure passwords.

      In a survey around the office, ~90% of the people admitted that since the policy got put in place they use a short capitalized word and either an incrementing number or the current month/year at the end.

  5. Not even storing hashes?! by BaronM · · Score: 2

    Got to love a major ecommerce vendor who can't even get THAT right!

    At some point, that has to count as negligence, and some sort of liability ought to attach.

  6. And Everything Just Get's More Inconvenient by lazarus · · Score: 3, Insightful

    So they didn't get payment information, but they got everything they needed to apply for credit in your name. Perfect. It took me an hour to buy my last laptop in a retail store with my credit card in my hand because my card company was so totally paranoid about fraud that they put me through the third degree to ensure I was who I said I was. And it's just going to get worse.

    At this rate cash will be king again. Oh no, wait, that can be fraudulent too. Essentially, it is getting impossible to spend your own money.

    --
    I am not interested in articles about life extension advancements.
    1. Re:And Everything Just Get's More Inconvenient by jabuzz · · Score: 2

      I have not noticed date of birth being in the phone book. It actually bothers me that companies such as eBay think that they need or should even ask for a date of birth. All they need to know is that I am over 18, then piss off with the intrusive data gathering.

    2. Re:And Everything Just Get's More Inconvenient by Obfuscant · · Score: 2

      It actually bothers me that companies such as eBay think that they need or should even ask for a date of birth.

      They need to ask because of those quaint things known as laws created by lots of different places they operate in. Those laws differ as to what ages people must be to do certain things, or what companies can do.

      All they need to know is that I am over 18,

      So when do you change to "over 21" so you can do the things that you need to be 21 to do? Or do you just want to be "over 18" for the rest of your life and will you be upset when you can't do the things adults can do on their site?

      If all you want to be is "over 18", give them a fake birthday that makes you "over 18". Problem solved.

  7. Hash algorithm? Static salt like eBay Japan? by raymorris · · Score: 2

    If eBay US was using a static salt like eBay Japan was, this is a big deal. If they were using a proper (random) salt, and a strong hash, it's not that big of a deal. Does anyone have any idea how eBay hashes the passwords?

    I'm not worried about it if they were doing something like:
    UPDATE user SET password= ENCRYPT(password, CONCAT('$5$' , uuid(), '$')

  8. CNN now has the story by Michael+Meissner · · Score: 2

    http://money.cnn.com/2014/05/2...

  9. Personal online information by jtollefson · · Score: 4, Insightful

    Just one more company giving one more reason why corporations should not be allowed to store personal information beyond what is absolutely necessary. Birthday would not necessarily need to be stored anyplace directly accessible, unless it was legally required but could instead be replaced by a flag for "above 13", "above 18", "above 21". If they absolutely needed to have the birthday for representation or audit purposes it could be stored in an offline version that could be brought online as needed.

    In the end, efficiency was prioritized over the need to secure personally identifiable information (PII). eBay should not have stored so much PII in the same database, it should have been stored separately and linked on retrieval.

    Sadly, security requirements being ignored or missed during design is a commonplace occurrence and they don't get fixed until something like this brings them to light.

    1. Re:Personal online information by jtollefson · · Score: 2

      I did, but, I guess I didn't feel that I needed to lay everything out. :) Folks aren't allowed to sign-up unless they're 13 or over, but, all you would need to do is have a weekly, or even a daily process that would synch those online flags with the actual offline birthday.

  10. people at eBay are losers... by DECTerm · · Score: 2

    Seems the people at eBay are completely losers, thanx to slashdot I just had a chat with the support at the UK eBay, they confirmed that I should change my password for my own safety, but NO fucking reply why there is no announcement on the local (ie. UK) site. They just only know well to milk their customers (Paypal) too with their fees.

  11. eBay is sitting pretty. by 140Mandak262Jamuna · · Score: 2

    The top management of eBay is going, "OK, the hackers got in, stole the credentials, but what can they do with it? What good does it do to them? They got to sell it in eBay, right? It is in their own interest we stay afloat to provide them sheep for fleecing right? So we are likely to survive till I make bonus right? After we get our boni who cares what happens to the company? I should be able to find another company to wreck next year".

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  12. Password still not stored securely by anyaristow · · Score: 2, Insightful

    The personal information screen shows me the length of my password, in asterisks. They wouldn't know how long my password is if they were storing it securely.

  13. Password on cardboard in your wallet by tepples · · Score: 3, Interesting

    It's OK to write down your password. Just keep the card in your wallet instead of on your monitor. You probably already keep a piece of plastic with your credit card number on it in the same wallet anyway.

  14. Correction: Password length NOT shown by anyaristow · · Score: 4, Informative

    I was wrong. They are always showing eight asterisks. It's not the length of your password unless your password is eight characters.

    1. Re:Correction: Password length NOT shown by alexkaskasoli · · Score: 2

      Thanks! I can narrow down my attack on your account to 3.2451855365842673e+32 possibilities :)

  15. Re:Security: A+ + + + + + + + + + by TheGratefulNet · · Score: 2

    item not as described. password salt was actually pepper!

    --

    --
    "It is now safe to switch off your computer."
  16. The law says 7 days by emil · · Score: 2

    Are they following the required procedures in each jurisdiction?

    http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

    These laws seem both plentiful, varied and complex. I hope their coporate legal department wasn't planning on sleep for a few months.

  17. I'm not worried by Dishwasha · · Score: 5, Funny

    I get emails from Ebay all the time recommending I change my password. They even provide a handy link in the email for me to click on.

  18. Wait - what?! by ripvlan · · Score: 5, Informative

    The hackers gained access to " name, [...], physical address, phone number and date of birth"

    But they "did not [access] other confidential personal information"

    What other personal information is there on the planet? Your name, address and DOB is pretty much everything needed for identify theft.

    Okay - I guess they didn't get Health records. Seriously though - what "other confidential information" does eBay store?

  19. Aw cripes, not again! by marciot · · Score: 4, Funny

    This is the THIRD time this month I've had to change my date of birth due to compromised website.

  20. So I went to change the password by Rinikusu · · Score: 2

    And ebay wants me to type in my full credit card/bank account information to verify my identity. No, this doesn't look like a phishing attempt at all. Even if it's legit, it's bad form.

    --
    If you were me, you'd be good lookin'. - six string samurai
  21. 3,963 years per password by raymorris · · Score: 3, Interesting

    Let's assume they are using a good salt. With more than 64 bits of entropy, that means the bad guy has to crack one password at a time. That's critically important.

    Ebay currently requires that passwords have uppercase, lower case, and number or punctuation, so lets say a typical password is about 60 bits of entropy*. (That's a rough guess). So we have roughly 1 X 10^18 passwords to try.

    As I recall, crypt() defaults to 110,000 rounds, so we can crypt($5$) about 4,000,000 times per second.

    So how many seconds will it take to try all of the passwords?
    1 X 10^18 / 4 X 10^6 = 2.5 X 10^11 = 250,000,000,000 seconds
    On average, we'll need to try half of the passwords to get the right one, so we'll need 125,000,000,000 seconds.
    125,000,000,000 / 3600 = 34,722,222 hours
    34,722,222 / 24 = 1,446,759
    3963 years

    I'm happy with 3,963 years per password.

    That assumes 60 bits of entropy in the password - a decently good password. With a 50 bit password, it would be three years per password - still not too feasible for a Paypal password. A 40 bit password would fall in about 33 hours, if I did that bit of math right. That's still kind of high, but certainly doable - you just won't get very many people's passwords.

    It seems to me that when using good salt, so the bad guy has to attack one password a time, and a reasonably good password, SHA256 is definitely not too fast to be secure.

  22. I've had it with these motherfucking breaches! by Optic7 · · Score: 2

    I'm getting so tired of these. It seems like every few months now I'm getting affected by one. Last year my bank replaced my debit card three times (Adobe breach, Target breach, and who knows what the third one was)! Consequently, I'm no longer using my debit card as a debit card, but only at ATMs. I use my credit card for any card-based purchases now. But it doesn't stop. You name it: zappos breach, dropbox breach, a breach at an old community college I attended years ago, and probably others that I've forgotten about in the last year or two. Fuck me running.

    By the way, the stories about this breach claim that no financial data was compromised. That's fine, except that the data that was compromised may be used for identity theft: your name, date of birth, and street address. I'm pretty much getting ready to use the option that the credit reporting agencies offer to lock down my credit so that no one can obtain credit in my name without me unlocking it. It's a pain, but I don't think it's a choice anymore at the rate these breaches are going.

  23. Re:Security Token? by ilikenwf · · Score: 2

    https://www.paypal.com/us/cgi-...