Marketplace
z-story-doo-linky-loo:
www.zdnet.com/ebay-change-your-passwords-due-to-cyberattack-…
eBay Belatedly Announces Hacking. Change Your Password. Get in now and avoid the rush...
[Deactivated] on 22/05/2014 - 11:51
Last edited 22/05/2014 - 11:53
Last edited 22/05/2014 - 11:53
Related Stores
Comments
from the comments in the article, it looks like the 2 factor authentication is available from about 3 years or so…cant believe ebay didnt bring this to customers attention, especially after sony got hacked last year…
2 factor authentication works 1 time out of 3.
Ebay use a UK SMS setup that is very unreliable.
Use the Symantec VIP App… essentially a Symantec version of Google Authenticator
I'm staggered at how slack eBay has been in their response. So far there has been no email notification, no alert on their front page, and no alert upon login.
Even worse, their change email feature seems to be broken. I always change this and my username as a matter of course after breaches (I own my own domain and have single use addresses for each account) but I can't change the email address until I receive an email at the new address to confirm. I'm still waiting nearly four hours later and I didn't make a typo in the address.
All I know is that the hackers know where I live, and may be looking to steal all of my magnificent eBay crap.
From now on I will be looking askance at anybody and everybody who comes to my door.
I am frightened.
I would also like to know whether or not you can buy bikie security on eBay?
Maybe, Gumtree??
Lots of people started to use PayPal because of eBay so i'd be changing my PayPal password (if it's the same) too because i'd be surprised if that wasn't exploited too.
n.b. the password reset pages are bugging out… So it will probably take a few goes.
If the passwords are properly encrypted, what's the issue?
They weren't properly encrypted (ie hashed and salted), they're just encrypted.. As soon as the password list is cracked, all the passwords are available in plaintext.
Tried 3times last night to change password, pathetic, still waiting, and still no email this morning to change my password, you used to be able to just go in and change it, but no, you gotta verify your email and sit like a stiff waiting for the one time code to change it, how many days will I wait, ….
Sounds like you're doing something wrong.. I didn't have to wait on email verification…
The SMS method is much easier.
Agreed, except I find it doesn't always come through.. thereby making it MUCH harder..
Well done gents and ladies. I've have no enabled eBay and Paypal with VIP app (Android) with success!
Will the hacked passwords be listed for sale on ebay ?
JUST CHECKED. HOLY CRAP. THEY ALREADY HAVE BEEN!!
OH MY GOD - AND PEOPLE'S UPDATED ONES TOO!! WHAAAAAAAATTT???I just bought yours…
BayBaySewSewHotttt
That's an interesting password you have there…
I changed mine yesterday, went through instantly.
might be a silly question, but what can they possibly achieve from hacking low level accounts?
unless people are silly enough to use the same password as their email account.
Most people use the same password for EVERYTHING!
Hence there's lots to gain!then they will need to change their password for everything. I wonder how many ozbargainers sign up to the "freebies" on this site with the same passwords.
I hate changing ebay passwords. You can't use anything resembling any previous one you've EVER had. So for example, if you had "fordandholdenbothstink", you can't make it "allfordandholdensbothstinkforever". I think even changing letters for numbers (o=0, and s=5). I had a very secure password until ebay's lack of security gave it away. Very annoying!
I don't think they got the passwords. They got the password hashes.
Although the hackers would then brute force reverse the hash which will then succeed sooner or later depending on the hash strength.
Or password strength
And this is the problem..
People have crap passwords and cause eBay are also crap, they apparently didn't salt the hashes, so once they've brute forced someone's "123456" password, they can unlock everyone else's..Good morning, scuba.
I am hungry, and you are NOT helping.
I would kill for some salted hashes.
But what is the worst someone could do if they hacked your eBay account? Sell a load of stuff - and then get a bunch of people wondering why you didn't ship it? (ship what?) or buy a load of stuff - please pay for all this stuff you bought! (oh no I didn't buy any of that stuff…must have got hacked…you'll have to list it again).
I don't have any payment information attached to eBay…is there any risk other than accessing something that should be password protected?
And I can't even remember my eBay password - if they ever need me to enter it I have to click "forgot password" and do the merry dance again.
They get your password that you use on your email cause you use the same password for everything. then they can get the password to your Paypal account by using the "forgot Password" feature to send an email to your email account.. Then they can pay themselves lots of money from your Paypal account..
eBay I use a separate password (low security one). PayPal I use a high-security one as I can lose cash if that gets compromised.
Good for you.. What about your email?
If they can access your email, they can do a password reset on your Paypal.Most people have 1 password for everything. So while this may not affect you, it affects millions of others.
EBay unique password
PayPal unique password
Email insanely unique password and incredibly long that theoretically should take a couple of hundred years to crack via brute force (and a couple of seconds with a Trojan keylogger)
Ebay finally got around to sending the email they should have a week ago. Pathetic Mr Wenig. If you "know our customers have high expectations of us" why did you sit on your @rses so long and not bother to post clear warnings on your websites?
And so it begins: the following just got sent to the address eBay had at time of breach (since changed).
Honk Kong sounds like an interesting place.
——- Original message ——-
From: Visa <[email protected]>
To: ebay@{my domain name}.com
Subject: {14.9} VISA - Suspicious Recent Transactions
Date: Thu, 29 May 2014 19:40:56 -0300Dear Visa card holder,
A recent review of your transaction history determined that your card was used in possible fraudulent transactions. For security reasons the requested transactions were refused. Please carefully review electronic report for your VISA card.
For more details please see the attached transaction report.
Wilburn.Yu
Data Protection Officer
VISA ASIA LIMITED
1 Sheldon Square
Honk Kong W2 6WH
Honk KongWith the report file conveniently placed in a .zip to cut down bandwidth :)
By God, I despise eBay, I hated them before and I despise them now.
Doesn't surprise me that there password security was lacklustre, matches perfectly with everything else that they do.
Can't receive the email even though the address is correct. Can't get the system to call me even though the number is correct.
I tell you what though, some things are going for a song on eBay because no one can access their account. If you're a seller and you can't access your account and your Lumia 625 goes for $1.00 you would be spewing.
BTW, their stock advice appears to be: why not set up another account? Eh? Thats top notch service for you.
I logged on via a new PC and they forced me to pick a new password…and I've already forgotten it.
Disgraceful that they still haven't officially notified users and they don't even prompt a password change when you log in!
In my reading this morning I also discovered that they have 2 Factor Authenication.. Tried finding out how to activate it within eBay, couldn't..
Eventually found this guide to do it through Paypal.
http://www.healthypasswords.com/content.Healthy_Passwords_Ho…