The internet community has slammed eBay over its reaction to a database breach that put user passwords and personally identifiable information into the hands of hackers.
EBay confessed to the compromised database this week, saying that it had become aware of it in late February. It said that credit and financial information was safe, but admitted that passwords, usernames, email addresses, addresses, phone numbers and dates of birth had been stolen.
Since the incident was revealed, eBay has been criticised for failing to notify all its customers in a timely fashion and for the confusing process customers have to go through to change their password.
Apologies, we are in the process of notifying all users through email, site and other communications. Info at: http://t.co/4fB5rlOa4F ^J— Ask eBay (@AskeBay) May 22, 2014
"Here's what we recommend you do the next time you visit eBay: Take a moment to change your password. You can do this in the 'My eBay' section under account settings. This will help further protect you; it's always a good practice to periodically update your password. Millions of eBay users already have updated their passwords," it said.
"Remember to always use different passwords on different sites and accounts. So if you haven't done this yet, take the time to do so."
However, clicking on "My eBay" does not bring up such an option. Users should instead look to the top left of the screen and click the space under their name. Account settings is found there, and a password "edit" option is revealed at the "account information" tab.
Be right back. Gotta go and change my eBay password.— Mikko Hypponen (@mikko) May 21, 2014
The whole sorry episode has not endeared the auction site to the security community.
"Why has it taken an organisation with the resources of eBay three months to notice that data was being accessed inappropriately not to mention exfiltrated? Where are the breach detection systems?" he asked.
"How was my password 'encrypted'? I want details. I want to know which algorithm and how you salted it. I want to know the realistic chances of my password being brute-forced, so I can make an educated assessment of my level of exposure and offer practical advice to others."
That's right, none of that important stuff like our blood types and first pet's name, just literally everything else. pic.twitter.com/9e3xjAOHNt— Jake Davis (@DoubleJake) May 21, 2014
"If you're one of the world's top websites, and hackers broke in a couple of months ago making off with a database of your users, wouldn't it make good sense to make sure that users visiting your website were clearly informed as to what was going on?" he asked. "And wouldn't it be good if you provided an easy link where people could reset their passwords?"
Cluley added that if the firm is serious about the issue, then it should force password resets, and not just encourage them.
EBay has since added a splash to its front page, but it still only suggests that a password change might be in order.
Toyin Adelakun, vice president of products at authentication specialist Sestus, said: "This appears to be more serious than a 'mere' password smash-and-grab. Rather, it seems eBay customers' names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth were stolen. Passwords can and must be reset - especially if they're reused elsewhere - but the other personal data cannot easily be reset."
"If eBay confirms that wider personal data has been stolen, users must maintain extreme vigilance of all financial statements and of their credit reference files."
This is a major breach, and experts hope that a big lesson is learned.
"This breach highlights a need for companies to place tighter controls on how user credentials are stored and protected. If data is left unprotected, it's not a matter of 'if' it will be compromised - it's a matter of ‘when'," added Brendan Rizzo, technical director at encryption firm Voltage Security.
The best Black Friday deals on smart home devices
Intel plans to halt support for BIOS
Foxconn is no longer offering overtime to interns
Samsung just can't keep up with its American rival, according to some