eBay Hack Investigations Begin
I guess I could begin this like a typical Fox News lede, with a “Could this be the largest security breach ever?”, but I won’t.
Here’s what we know so far.
The original notification of a breech was made on a Paypal blog entry that was later taken down. It was noticed.
The online auction site accidentally revealed news of the attack yesterday morning when the PayPal blog briefly posted a message with the headline “eBay, Inc. to Ask All eBay users to Change Passwords.” but without any other content other than the words “placeholder text”.
eBay found out several weeks ago that hackers accessed one of their servers between February and March. The method used was “Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network”. Data accessed “included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. ” These quotes are from the eBay blog which publicized the hack and was used in pretty much every news account I’ve read to date.
eBay Blog: EBAY INC. TO ASK EBAY USERS TO CHANGE PASSWORDS
On Wednesday, May 21, Ars Technica blasted eBay for burying the advisory. That’s what my experience mirrored. It was the news I read, and nothing from eBay that caused me to change my password as related in the comments here on LGF.
Now, according to cNet, “the attorneys general of Connecticut, Florida, and Illinois will launch a joint investigation” and according to the Register, “the Information Commissioner in the UK told various media outlets that his office is actively looking into starting a formal investigation”.
The Register also hit eBay on their security methods of storing customer information.
Hopefully eBay customers have gotten the word to replace their passwords. During the initial rush, their servers were overwhelmed, and eBay made changes to to the reset UI after many complaints.
As I read more about eBay warning users to change passwords and to be wary of emails that might be phishing tricks from hackers that have obtained their information, I can’t help but wonder about 2 things I haven’t read in the news to date.
1. Why hasn’t eBay informed us to change our email addresses?
2. If customers are locked out until 145 million members change their passwords, what is the impact to current auctions?
More to come is my bet. Including how not to handle security problems as a customer service issue.
My first spam message came to my iPhone today. Is it a coincidence that this is the number registered to my eBay account?