eBay Users: Change Your Passwords

News
By Kevin Parrish
published

eBay has been hacked.

eBay Inc. announced on Wednesday that it was the target of a cyberattack that compromised a database containing non-financial data, including encrypted passwords. Because of this, eBay requests that all users change their passwords immediately.

The company has conducted "extensive" tests on its networks, and found no evidence of unauthorized activity via user accounts. eBay also found no signs of unauthorized access to credit card or financial information, which is stored in encrypted formats on a separate system. However, eBay insists that everyone change their passwords just in case.

eBay reports that hackers gained access to the corporate network by compromising a small number of employee log-in credentials. The company is now working with security experts and law enforcement to "aggressively" investigate the cyber break-in, and to protect customers by applying "the best forensics tools and practices."

eBay reveals that the problem was first detected around two weeks ago. A thorough investigation showed that the database was compromised in late February to early March. Hackers gained access to eBay customers' name, encrypted password, email address, physical address, phone number and date of birth. As previously stated, financial information is stored on a separate database.

"The company said it has seen no indication of increased fraudulent account activity on eBay," states the announcement. "The company also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted."

eBay users should expect to see email notifications to change the password starting Wednesday afternoon. The company will also alert users via site communications and other methods. eBay recommends that all users change their passwords on other services and sites if they're the same one used on eBay.

Kevin Parrish
9 Comments Comment from the forums
  • lpedraja2002
    I'm getting kind of sick of these news. I guess its finally time to embrace randomly generated passwords. I will have to get something to sync them with my smartphones and laptop though.
    Reply
  • Xivilain
    I wonder if this effects PayPal too. Since your account can be directly linked with PayPal accounts, to streamline the purchase process.

    I can rest assure though, my account is safe with Two-step authentication.

    You can activate that for eBay here:
    http://pages.ebay.com/securitycenter/OnlineSafetyTips.html#two-factor

    And here, for Paypal:
    https://www.paypal.com/us/cgi-bin?cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside&bn_r=o
    Reply
  • mrmez
    ...I guess its finally time to embrace randomly generated passwords. I will have to get something to sync them with my smartphones and laptop though.

    You could have a 64 character password, but if the server gets hacked, you're done.
    A complex password only prevents people from 'guessing' it.

    Reply
  • ianj14
    Apparently the eBay and Paypal sites only accept passwords up to 20 characters in length, so 64 is out for them.

    I use a password manager with local passcard files, so no online server store for them and it allows creation of 'randomly' generated number/letter/symbol combinations. I would say that two factor authentication is the only way to be sure that even if a password is known the account won't get hacked, as long as the second factor is reliable (a phone number or mobile number that can't be somehow intercepted in any way).
    Reply
  • mrmez
    Kinda missed the point.
    It doesn't matter how long or strong your password is, if the server gets hacked everything should be considered compromised.

    I'm not sure how a password manager works, but I'd assume at the end of it, your password and details still need to be stored on a server somewhere.
    After all, how can the server know you have the right password if it doesn't have it to begin with?

    OSX / iCloud has a password manager that stores all my passwords and shares them across devices, but I can still log on to anything from any device.
    Reply
  • Floflo81
    One good but not too difficult-to-use solution for more secure passwords is to use a browser plugin like "Password Hasher". When you have to input a password, it asks for a "master" password, which is then used to generate (through a one-way hashing algorithm) a different password for each website (based on the website name).

    You only need to remember the master password, and the plugin does the rest. If one of the websites is compromised, and your password for this site is leaked, nobody can use it to log in on another website. And you can generate a second, different, password for the same site with the same master password (using the "Bump" button).

    Try "Password Hasher" for Firefox, "Password Hasher Plus" for Chrome and "Hash It!" for Android (they're all compatible as in they generate the same unique passwords for the same input).
    Reply
  • jerrspud
    So what are the real odds the encrypted passwords can be deciphered?
    Reply
  • masteroftheuniverse
    It has to have the key on the server to read anything encrypted, if it is just comparing HASHES that is a completely different thing.
    Reply
  • littleleo
    Nice to know it happened 3 months ago.
    Reply