Slashdot Mirror
eBay Compromised
New submitter bobsta22 (583801) writes "eBay has suffered a security compromise requiring them to have all users change their passwords. As yet only a press release. Lets hope there's more juice on this."
From the press release: "Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said. ... The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago."
yes, they would. keyloggers don't care how old your password is, nor does social engineering.
Better yet, just logged into my ebay acct. and there's NOTHING in the communications there either.
Slashdot, now with less actual news and information, but nearly 100% sensational!
I understand reading is hard so I highlighted the important parts for you.
eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data.
So they didn't get payment information, but they got everything they needed to apply for credit in your name. Perfect. It took me an hour to buy my last laptop in a retail store with my credit card in my hand because my card company was so totally paranoid about fraud that they put me through the third degree to ensure I was who I said I was. And it's just going to get worse.
At this rate cash will be king again. Oh no, wait, that can be fraudulent too. Essentially, it is getting impossible to spend your own money.
I am not interested in articles about life extension advancements.
Just one more company giving one more reason why corporations should not be allowed to store personal information beyond what is absolutely necessary. Birthday would not necessarily need to be stored anyplace directly accessible, unless it was legally required but could instead be replaced by a flag for "above 13", "above 18", "above 21". If they absolutely needed to have the birthday for representation or audit purposes it could be stored in an offline version that could be brought online as needed.
In the end, efficiency was prioritized over the need to secure personally identifiable information (PII). eBay should not have stored so much PII in the same database, it should have been stored separately and linked on retrieval.
Sadly, security requirements being ignored or missed during design is a commonplace occurrence and they don't get fixed until something like this brings them to light.
Yes, it is very difficult when you know the previous password was "superman1" to guess what tomorrow's password will be. Or, if you got creative, if last month's password was "g0dOctober", I can only guess what November's password will be.
After that, I just write it on a stick note for my monitor, cuz ain't nobody got time for your crazy password schemes.
Working for another large company that enforces a password change policy, i can tell you that it leads to less secure passwords.
In a survey around the office, ~90% of the people admitted that since the policy got put in place they use a short capitalized word and either an incrementing number or the current month/year at the end.
You seem badly broken retech. Your posts indicate that you mistakenly believe that this is some kind of hoax, and you called a person who pointed out your error an asshole. It's clear that someone here is an asshole, but it isn't ziakll.
Wait for the dupes.
The world's burning. Moped Jesus spotted on I50. Details at 11.
It's OK to write down your password. Just keep the card in your wallet instead of on your monitor. You probably already keep a piece of plastic with your credit card number on it in the same wallet anyway.
What probably happened is that they got compromised, and then whoever compromised it tried to sell the account information to the highest bidder.
"3 Million Stolen Ebay Accounts BNIB FREE SHIPPING NR US SELLER L@@K"
I was wrong. They are always showing eight asterisks. It's not the length of your password unless your password is eight characters.
I get emails from Ebay all the time recommending I change my password. They even provide a handy link in the email for me to click on.
The hackers gained access to " name, [...], physical address, phone number and date of birth"
But they "did not [access] other confidential personal information"
What other personal information is there on the planet? Your name, address and DOB is pretty much everything needed for identify theft.
Okay - I guess they didn't get Health records. Seriously though - what "other confidential information" does eBay store?
That's a dangerous game. There's a legal precedent that they could be fined as much as one hundred thousand pounds in UK court for data protection breaches. It could take them days to find that much money in the sofa.
No kidding!!! What do you say at this point?
This is the THIRD time this month I've had to change my date of birth due to compromised website.
Let's assume they are using a good salt. With more than 64 bits of entropy, that means the bad guy has to crack one password at a time. That's critically important.
Ebay currently requires that passwords have uppercase, lower case, and number or punctuation, so lets say a typical password is about 60 bits of entropy*. (That's a rough guess). So we have roughly 1 X 10^18 passwords to try.
As I recall, crypt() defaults to 110,000 rounds, so we can crypt($5$) about 4,000,000 times per second.
So how many seconds will it take to try all of the passwords?
1 X 10^18 / 4 X 10^6 = 2.5 X 10^11 = 250,000,000,000 seconds
On average, we'll need to try half of the passwords to get the right one, so we'll need 125,000,000,000 seconds.
125,000,000,000 / 3600 = 34,722,222 hours
34,722,222 / 24 = 1,446,759
3963 years
I'm happy with 3,963 years per password.
That assumes 60 bits of entropy in the password - a decently good password. With a 50 bit password, it would be three years per password - still not too feasible for a Paypal password. A 40 bit password would fall in about 33 hours, if I did that bit of math right. That's still kind of high, but certainly doable - you just won't get very many people's passwords.
It seems to me that when using good salt, so the bad guy has to attack one password a time, and a reasonably good password, SHA256 is definitely not too fast to be secure.