PDA

View Full Version : Anybody else get an eBay PW Reset Recommendation?



Shadow Lord
May 23rd, 2014, 09:03 AM
I just got an email today from eBay and want to see if it is authentic or not. Looks legit, it has my eBay name and my real name on it. Anybody else get this?


IMPORTANT: PASSWORD UPDATE

Dear eBay Member,

To help ensure customers' trust and security on eBay, I am asking all eBay users to change their passwords.

Here's why: Recently, our company discovered a cyberattack on our corporate information network. This attack compromised a database containing eBay user passwords.

What's important for you to know: We have no evidence that your financial information was accessed or compromised. And your password was encrypted.

What I ask of you:
Go to eBay and change your password. Changing your password may be inconvenient. I realize that. We are doing everything we can to protect your data and changing your password is an extra precautionary step, in addition to the other security measures we have in place.

If you have only visited eBay as a guest user, we do not have a password on file.

If you used the same eBay password on any other site, I encourage you to change your password on those sites too. And if you are a PayPal user, we have no evidence that this attack affected your PayPal account or any PayPal financial information, which is encrypted and stored on a separate secure network.

Here are other steps we are taking:
As always, we have strong protections in place for both buyers and sellers in the event of any unauthorized activity on your account.
We are applying additional security to protect our customers.
We are working with law enforcement and leading security experts to aggressively investigate the matter.

Here's what we know: This attack occurred between late February and early March and resulted in unauthorized access to a database of eBay users that includes customers' name, encrypted password, email address, physical address, phone number and date of birth.

However, the file did not contain financial information. And, after conducting extensive testing and analysis of our systems, we have no evidence that any customer financial or credit card information was involved. We also have no indication of a significant spike in fraudulent activity on our site.

We apologize for any inconvenience or concern that this situation may cause you. As a global marketplace, nothing is more important to eBay than the security and trust of our customers. We know our customers have high expectations of us, and we are committed to ensuring a safe and secure online experience for you on any connected device.

Uniballer
May 23rd, 2014, 09:06 AM
It is legit. This was in the news on Wednesday, long before ebay started asking users to change their passwords. In fact, there are now news stories about how slow ebay's response has been.

Stone
May 23rd, 2014, 09:08 AM
C'mon, SL, you already know that eBay has a hot nut for you. Be careful. :-)

Shadow Lord
May 23rd, 2014, 09:13 AM
C'mon, SL, you already know that eBay has a hot nut for you. Be careful. :-)

Who doesn't? :D

Chuck(G)
May 23rd, 2014, 09:51 AM
Checked my eBay messages as well as my email. No such notice. I wonder if only a portion of eBay's customers were affected. But yes, I heard about the intrusion on the BBC as well as NPR.

Shadow Lord
May 23rd, 2014, 10:06 AM
Checked my eBay messages as well as my email. No such notice. I wonder if only a portion of eBay's customers were affected. But yes, I heard about the intrusion on the BBC as well as NPR.

If you log in now chuck you should see a big orange button up top. Apparently everybody's info was stolen but no PWs.

smp
May 23rd, 2014, 12:06 PM
I just got an email today from eBay and want to see if it is authentic or not. Looks legit, it has my eBay name and my real name on it. Anybody else get this?

Yes, I did. I was concerned about a possible phishing attack, even though it seemed to coincide with news about an eBay issue that I'd read in another news venue. So, I logged in separately from the link offered in the e-mail I received and reset my password.

smp

Chuck(G)
May 23rd, 2014, 12:25 PM
If you log in now chuck you should see a big orange button up top. Apparently everybody's info was stolen but no PWs.

It seems to me that if my password wasn't obtained, they alreadyl have my information, so what good would resetting my PW do? It's not as if I'm going to move house, change my name and telephone number in reaction to this.

Is there something that I'm missing?

From CNN:


But that's not the point. The real danger here is in the fallout of such a major data breach. Hackers now know where you live. They can call you. Expect to receive fake deals and offers. Beware of getting duped into revealing even more sensitive information, like your bank details or Social Security number.

barythrin
May 23rd, 2014, 12:43 PM
I think the "risk" other than obviously our data is stolen yet again which is annoying is that a lot of folks have credit cards or paypal tied in with their ebay account. So one could possibly try to go shopping with your account and have it sent somewhere else or just be a loser and let you deal with a bunch of bulk purchases of sweaty horse magazine at your door.

Uniballer
May 23rd, 2014, 12:48 PM
It seems to me that if my password wasn't obtained, they alreadyl have my information, so what good would resetting my PW do?

They got the "encrypted" passwords, and can try cracking them. If you don't change your password they can have your account bid on their stuff. Or offer their stuff for sale. Or something. I would think the main problem is if you used that same password elsewhere and they started trying to log in as you on other sites using your cracked ebay password. Hacking your account on a banking site, or paypal, etc. could give them some access you wouldn't like.

Chuck(G)
May 23rd, 2014, 02:03 PM
Well, that isn't going to happen, as the ebay password is unique to them. If a bid is registered, I can always object--after all, it's eBay's error, not mine.

Tor
May 23rd, 2014, 02:51 PM
Well, today I got my first foreign phishing text message on my mobile phone, ever. Could be a coincidence, or not.

eeguru
May 23rd, 2014, 03:11 PM
They obtained ciphered or hashed passwords for all users. I'm not sure what salting mechanism eBay uses if any, however they are concerned plain-text could be obtained through brut-force trial.

Chuck(G)
May 23rd, 2014, 03:17 PM
They obtained ciphered or hashed passwords for all users. I'm not sure what salting mechanism eBay uses if any, however they are concerned plain-text could be obtained through brut-force trial.

And eBay is so worried about this two months after the fact that they haven't bothered to send out email? There are some eBay users who visit the site only every few months.

About all I've seen is an uptick in spam.

vwestlife
May 23rd, 2014, 03:57 PM
I got the e-mail from eBay this morning asking me to change my password. But here's the thing: eBay clearly states that the attack happened "between late February and early March". That means the hackers have had over two months to try to crack our passwords. If they had been successful, and people started reporting suspicious behavior, I'm sure there would have been a quicker response from eBay. And if the hackers haven't been successful at unencrypting eBay's passwords, I'd think after two months they would've given up trying by now and moved on to other endeavors!

Shadow Lord
May 23rd, 2014, 03:58 PM
Well, the PW I really don't care about. I only use that PW on my eBay site and I visit eBay to notice any funny business. What concerns me is that they have my NAME, Physical Address/Contact Info, and Birthdate. To me those are much more valuable then a crappy PW on one single site.

Stone
May 23rd, 2014, 04:11 PM
What concerns me is that they have my NAME, Physical Address/Contact Info, and Birthdate.I've got most of that. Want me to send it back? :-)

Shadow Lord
May 24th, 2014, 09:55 AM
I've got most of that. Want me to send it back? :-)

Yes, if you are involved with an organization set on defrauding people ;). Honestly, it all depends on how much effort they want to expend or what other info they have to cross reference with. But what they got from eBay is a great source for social engineering.

Chuck(G)
May 24th, 2014, 10:22 AM
Finally got my email advising the PW change this morning. Ebay can't be too worried about this, or else they'd invalidate everyone's current password and not re-activate until changed. Of course, that would cost them money...

offensive_Jerk
May 24th, 2014, 10:48 AM
never got an email, but got the message on the homepage

oblivion
May 24th, 2014, 10:57 AM
I've got most of that. Want me to send it back? :-)

LOL, I recieved the email yesterday.

Shadow Lord
May 24th, 2014, 04:51 PM
Incidentally as of three days ago I no longer receive my daily search results. I wonder if it is because of the thede emails being sent.

luvit
May 24th, 2014, 05:01 PM
What are the odds that eBay was confident in their encryption so they didn't want to make a big stink about it?.. then the press comes along 2 months later and makes a big stink about it.

Chuckster_in_Jax
May 24th, 2014, 06:29 PM
In the past 3 days I have had a rash of malware and trojans show up on my computer. I run malware software followed by virus scan which picks up several viruses. All is good for a day, them i get a window popup with a message that some program couldn't continue. Run malware and virus scan again and they pick up several more. Hope I finally got it all.
I rarely get infections, but this week has been really bad.

vwestlife
May 24th, 2014, 07:00 PM
Now upon login eBay has forced me to change my password.

k2x4b524[
May 24th, 2014, 09:15 PM
I got this too, which naturally I changed my password, which I do anyway routinely every 30 days or so for my banking, everything else is 60 - 90 days, except here, that's just when I remember to do it :P

In seriousness, I haven't had an increase in spam or an increase in malware / viruses, I have however, spent the better part of the last week cleaning several computers of such infections.

I don't think was too worried about it, but, and I mean a rather large BUT what about those of us that have paypal linked to ebay? Doesn't that open up another big risk if they cracked your EBay password?

Ole Juul
May 24th, 2014, 09:56 PM
Now upon login eBay has forced me to change my password.

Since you said that, I thought I'd go log in. I got that message too.