Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

eBay Compromised

Unknown Lamer posted about 2 months ago | from the ebay-passwords-show-up-in-ebay-auction dept.

Security 193

New submitter bobsta22 (583801) writes "eBay has suffered a security compromise requiring them to have all users change their passwords. As yet only a press release. Lets hope there's more juice on this." From the press release: "Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said. ... The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago."

cancel ×

193 comments

link? (2)

Imabug (2259) | about 2 months ago | (#47055857)

what, no link to the press release?

Re:link? (-1, Flamebait)

retech (1228598) | about 2 months ago | (#47055907)

Better yet, just logged into my ebay acct. and there's NOTHING in the communications there either.

Slashdot, now with less actual news and information, but nearly 100% sensational!

Re:link? (5, Informative)

ZiakII (829432) | about 2 months ago | (#47055937)

Better yet, just logged into my ebay acct. and there's NOTHING in the communications there either.

Slashdot, now with less actual news and information, but nearly 100% sensational!


I understand reading is hard so I highlighted the important parts for you.

eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data.

Re:link? (-1, Flamebait)

retech (1228598) | about 2 months ago | (#47056103)

As I stated, NO ALERTS in my account. So perhaps you should learn to read. Since you missed the major portion of what I wrote.

This may indicate that a specified group of ebay users are affected and is NOT site wide. But you'll miss this too since it's obviously implied and not spelled out letter by letter.

I appreciate that you're an asshole and Aspergers makes it hard to communicate. Perhaps 4chan is more your thing.

Re:link? (2, Insightful)

Anonymous Coward | about 2 months ago | (#47056179)

Wow, I realize he's using big words, but you understand what "later today" means, right? So, of course there are no alerts in your account. Reading is hard.

Re:link? (3, Insightful)

Jeff Flanagan (2981883) | about 2 months ago | (#47056193)

You seem badly broken retech. Your posts indicate that you mistakenly believe that this is some kind of hoax, and you called a person who pointed out your error an asshole. It's clear that someone here is an asshole, but it isn't ziakll.

Re:link? (0)

Anonymous Coward | about 2 months ago | (#47056235)

"So perhaps you should learn to read. Since you missed the major portion of what I wrote. "

Wow. Please take your own advice. He specifically stated, if you had bothered to read it, that the user alerts will begin __LATER_TODAY__. That means that alerts would not have begun prior to you checking your account __EARLIER_TODAY__.

Again: Later today.

Re:link? (1)

k6mfw (1182893) | about 2 months ago | (#47057017)

user alerts will begin __LATER_TODAY__. That means that alerts would not have begun prior to you checking your account __EARLIER_TODAY__.

Again: Later today.

though risking karma getting into this fray, I must ask why LATER? If ebay knows problem occurred, they should send out notice immediately instead letting the forums run wild (if I see lots of stuff on forums but nothing from ebay then I would think it is a hoax. There's lots of similar crap on forums). Not all ebay users read slashdot, cnet, reddit, or ebayinc.

Re:link? (0)

Anonymous Coward | about 2 months ago | (#47056411)

So perhaps you should learn to read. . . . Perhaps 4chan is more your thing.

No. If he cannot read, Slashdot is EXACTLY the right place for him.

Re:link? (1)

Rob the Bold (788862) | about 2 months ago | (#47056471)

As I stated, NO ALERTS in my account. So perhaps you should learn to read. Since you missed the major portion of what I wrote.

So you can read stuff from the future, but instead of checking lottery results or the Daily Racing Form, you're reading your eBay messages?

Stealth notification (1)

Geoffrey.landis (926948) | about 2 months ago | (#47056997)

just logged into my ebay acct. and there's NOTHING in the communications there either.

Yes, I just logged on and don't see anything on their login page. Odd; you'd think that this would be the first place they'd put a note.

It's also very obscure how to change your e-bay password. You can do it... but it's buried way down in menus inside menus.

Maybe they're waiting until they can rewrite their login page to put the "change password" menu somewhere that an average user can actually FIND it.

The law says 7 days (2)

emil (695) | about 2 months ago | (#47056621)

Are they following the required procedures in each jurisdiction?

http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx [ncsl.org]

These laws seem both plentiful, varied and complex. I hope their coporate legal department wasn't planning on sleep for a few months.

Re:link? (1)

TechyImmigrant (175943) | about 2 months ago | (#47056653)

Better yet. I just logged in and I cannot find where to change my password.

Re:link? (1)

TechyImmigrant (175943) | about 2 months ago | (#47056717)

OK. I found it on the third go round, behind the locked door with the sign saying "beware of the leopard".
 

Re:link? (1)

Curunir_wolf (588405) | about 2 months ago | (#47056845)

Better yet. I just logged in and I cannot find where to change my password.

See where it says "Hi, [yourname]!" at the top left? Click it, then Account Settings -> Personal Information -> "Edit" on the Password line.

There, was that so hard?

Re:link? (1)

TechyImmigrant (175943) | about 2 months ago | (#47056927)

Well I looked many places and found that after the third go round. Not hard, but not obvious.

Re:link? (0)

Anonymous Coward | about 2 months ago | (#47056905)

Better yet, just logged into my ebay acct. and there's NOTHING in the communications there either.

Slashdot, now with less actual news and information, but nearly 100% sensational!

I understand reading is hard so I highlighted the important parts for you.

eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data.

For Slashdot, I would have thought that there would be less confusion over eBay's pullback of their notice....

I'm willing to bet that eBay is in the middle of validating that they have closed all of the security holes before sending out a communication to their customers. The message that was posted was likely either a draft or was posted prematurely. What's the sense of asking people to change their password now if there is still a breach?

Re:link? (1)

ZiakII (829432) | about 2 months ago | (#47055919)

what, no link to the press release?

The press link [ebayinc.com] is in right in the summary.....

Re:link? (1)

Imabug (2259) | about 2 months ago | (#47055943)

ahh, there it is now. wasn't there when i first looked at the story

Re:link? (1)

Anonymous Coward | about 2 months ago | (#47056301)

http://blog.ebay.com/ebay-inc-ask-ebay-users-change-passwords/

So... (2)

AbbyNormal (216235) | about 2 months ago | (#47055865)

A major news story, about a ginormous compromise gets published on Slashdot and there is NO source or link?

Re:So... (3, Funny)

MightyMartian (840721) | about 2 months ago | (#47056281)

Wait for the dupes.

First! (-1)

Anonymous Coward | about 2 months ago | (#47055867)

Yay! Now I can scratch 'first' achievement off my bucket list...

Since February and just now hearing about it?! (2)

sbrown123 (229895) | about 2 months ago | (#47055879)

How much you want to bet they have been sitting on this? Probably waited until X number of people were compromised and they couldn't cover it up any longer.

Since February and just now hearing about it?! (0)

Anonymous Coward | about 2 months ago | (#47055955)

As said in the article -> 2 weeks (or more)

Re:Since February and just now hearing about it?! (0)

Anonymous Coward | about 2 months ago | (#47055965)

It's probably not that they've been sitting on it since February, it's that they didn't DETECT it until two weeks ago. What probably happened is that they got compromised, and then whoever compromised it tried to sell the account information to the highest bidder. While I'm sure there are plenty of people on the black market who might have reason to buy one, it's probably not as lucrative as, say, stolen credit card numbers or bank account info. It probably took them the two to three month time gap to find a buyer. The buyer would've been the one to set off the alarms, since they'd actually be using the account info for something.

Re:Since February and just now hearing about it?! (4, Funny)

WWJohnBrowningDo (2792397) | about 2 months ago | (#47056373)

What probably happened is that they got compromised, and then whoever compromised it tried to sell the account information to the highest bidder.

"3 Million Stolen Ebay Accounts BNIB FREE SHIPPING NR US SELLER L@@K"

Re:Since February and just now hearing about it?! (3, Informative)

Sockatume (732728) | about 2 months ago | (#47056901)

That's a dangerous game. There's a legal precedent that they could be fined as much as one hundred thousand pounds in UK court for data protection breaches. It could take them days to find that much money in the sofa.

Wow, pasword security policy fail (2)

anolisporcatus (969211) | about 2 months ago | (#47055885)

Things like this would not happen if security policies were in place to force password changes.

Re:Wow, pasword security policy fail (3, Insightful)

radiumsoup (741987) | about 2 months ago | (#47055901)

yes, they would. keyloggers don't care how old your password is, nor does social engineering.

Re:Wow, pasword security policy fail (1)

anolisporcatus (969211) | about 2 months ago | (#47055927)

Agreed!

Re:Wow, pasword security policy fail (0)

Anonymous Coward | about 2 months ago | (#47056093)

Obligatory XKCD [xkcd.com] . Now, it would be ironic if they actually bought the "hacking device" from eBay.

Re:Wow, pasword security policy fail (0)

Anonymous Coward | about 2 months ago | (#47056007)

Trust me, they force password changes, and it didn't help in this case.

I work for eBay (contracted) so I will not go in detail (and stay anon) , but it baffles me that you seem to think that password change policies are some sort of silver bullet.

Re:Wow, pasword security policy fail (0)

cyborg_monkey (150790) | about 2 months ago | (#47056031)

That's not true. I have had the same password for 12 years.

Re:Wow, pasword security policy fail (1, Insightful)

Tridus (79566) | about 2 months ago | (#47056089)

Are you an ebay employee? It was employee accounts that were compromised.

Re:Wow, pasword security policy fail (0)

Anonymous Coward | about 2 months ago | (#47056783)

Not only. Please read the summary carefully. Some compromised employee credentials were used to access the internal systems, which then was used to grab the database of all normal users.

Re:Wow, pasword security policy fail (0)

Anonymous Coward | about 2 months ago | (#47056105)

Mod parent up. eBay does not enforce password changes.

Re:Wow, pasword security policy fail (1)

Anonymous Coward | about 2 months ago | (#47056165)

-employee- password were compromised. Again, employee password are most definitely forced to update.

Re:Wow, pasword security policy fail (3, Insightful)

Anonymous Coward | about 2 months ago | (#47056141)

Working for another large company that enforces a password change policy, i can tell you that it leads to less secure passwords.

In a survey around the office, ~90% of the people admitted that since the policy got put in place they use a short capitalized word and either an incrementing number or the current month/year at the end.

Re:Wow, pasword security policy fail (0)

Anonymous Coward | about 2 months ago | (#47056285)

Working for another large company that enforces a password change policy, i can tell you that it leads to less secure passwords.

In a survey around the office, ~90% of the people admitted that since the policy got put in place they use a short capitalized word and either an incrementing number or the current month/year at the end.

Yep, nobody wants to relearn a new password nor waste time getting locked out of their computer because they can't remember the new one and/or keep typing in the old one by reflex.

Re:Wow, pasword security policy fail (2)

K. S. Kyosuke (729550) | about 2 months ago | (#47056025)

They probably also wouldn't happen if eBay used database systems with per-column access privileges. (Why should human accounts to any business software regularly need access to masses of encrypted password data?)

Re:Wow, pasword security policy fail (0)

Anonymous Coward | about 2 months ago | (#47056073)

Bet his password was under 6 characteres and dictionary based all lower case :D

Re:Wow, pasword security policy fail (3, Interesting)

Anonymous Coward | about 2 months ago | (#47056139)

Yes, it is very difficult when you know the previous password was "superman1" to guess what tomorrow's password will be. Or, if you got creative, if last month's password was "g0dOctober", I can only guess what November's password will be.

After that, I just write it on a stick note for my monitor, cuz ain't nobody got time for your crazy password schemes.

Password on cardboard in your wallet (3, Interesting)

tepples (727027) | about 2 months ago | (#47056325)

It's OK to write down your password [schneier.com] . Just keep the card in your wallet instead of on your monitor. You probably already keep a piece of plastic with your credit card number on it in the same wallet anyway.

Amateurs (0)

Anonymous Coward | about 2 months ago | (#47055895)

Why are companies the size of eBay still using passwords for their internal systems? FFS, it's amateur hour wherever you look.

Re:Amateurs (0)

Anonymous Coward | about 2 months ago | (#47055973)

Obviously it's for the NSA's benefit....

Re:Amateurs (0)

Anonymous Coward | about 2 months ago | (#47056649)

... it's amateur hour wherever you look.

And turtles all the way down.

Not even storing hashes?! (2)

BaronM (122102) | about 2 months ago | (#47055899)

Got to love a major ecommerce vendor who can't even get THAT right!

At some point, that has to count as negligence, and some sort of liability ought to attach.

Re:Not even storing hashes?! (0)

Anonymous Coward | about 2 months ago | (#47056473)

Sure, you should sue them for the cost of changing your password.

But nothing on their homepage? (0)

Anonymous Coward | about 2 months ago | (#47055939)

I just went to ebay and logged in, and was surprised to see nothing regarding this on their main page. How do they expect most people to see this!?

Re: But nothing on their homepage? (0)

Anonymous Coward | about 2 months ago | (#47055991)

Duh, Slashdot!

Re:But nothing on their homepage? (1)

Osiris Ani (230116) | about 2 months ago | (#47056071)

I just went to ebay and logged in, and was surprised to see nothing regarding this on their main page.

“eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords...”

And Everything Just Get's More Inconvenient (3, Insightful)

lazarus (2879) | about 2 months ago | (#47055963)

So they didn't get payment information, but they got everything they needed to apply for credit in your name. Perfect. It took me an hour to buy my last laptop in a retail store with my credit card in my hand because my card company was so totally paranoid about fraud that they put me through the third degree to ensure I was who I said I was. And it's just going to get worse.

At this rate cash will be king again. Oh no, wait, that can be fraudulent too. Essentially, it is getting impossible to spend your own money.

Re:And Everything Just Get's More Inconvenient (0)

Anonymous Coward | about 2 months ago | (#47056005)

I don't want to pay with my credit card. Pay with cash. Where'd you get that much cash? Did you steal it? CRIMINAL!

Re:And Everything Just Get's More Inconvenient (1)

oodaloop (1229816) | about 2 months ago | (#47056015)

Essentially, it is getting impossible to spend your own money.

First of all, if you're using a credit card, it's not your money. You're borrowing from someone else. Second, WTF? Companies want to get paid, so spending money is only getting easier. NFCs, RFID keypasses, POS readers everywhere, even the vending machines take credit and debit cards now.

Re:And Everything Just Get's More Inconvenient (0)

Anonymous Coward | about 2 months ago | (#47056117)

"First of all, if you're using a credit card, it's not your money. You're borrowing from someone else."

Yes. That said, I pay off my bill every month.

It's been a long time since I've been denied or slowed down because of fraud protection measures.

Re:And Everything Just Get's More Inconvenient (1)

Stan92057 (737634) | about 2 months ago | (#47056505)

Dude , the very same information " Name ,Address, Phone Number" is in the local phone book. Has been for 50+ plus years

Re:And Everything Just Get's More Inconvenient (2)

jabuzz (182671) | about 2 months ago | (#47056701)

I have not noticed date of birth being in the phone book. It actually bothers me that companies such as eBay think that they need or should even ask for a date of birth. All they need to know is that I am over 18, then piss off with the intrusive data gathering.

Re:And Everything Just Get's More Inconvenient (2)

Obfuscant (592200) | about 2 months ago | (#47056937)

It actually bothers me that companies such as eBay think that they need or should even ask for a date of birth.

They need to ask because of those quaint things known as laws created by lots of different places they operate in. Those laws differ as to what ages people must be to do certain things, or what companies can do.

All they need to know is that I am over 18,

So when do you change to "over 21" so you can do the things that you need to be 21 to do? Or do you just want to be "over 18" for the rest of your life and will you be upset when you can't do the things adults can do on their site?

If all you want to be is "over 18", give them a fake birthday that makes you "over 18". Problem solved.

Re:And Everything Just Get's More Inconvenient (0)

Anonymous Coward | about 2 months ago | (#47056673)

I hope not. The only reason one doesn't get a gun to their head or a knife to the throat when walking city streets these days is that muggers know that almost nobody carries cash, and that credit card fraud doesn't earn much for the drug habit. If people started carrying cash again, mugging cases will be back as almost daily occurrence as they were in 1970s-era NYC.

Hash algorithm? Static salt like eBay Japan? (2)

raymorris (2726007) | about 2 months ago | (#47056039)

If eBay US was using a static salt like eBay Japan was, this is a big deal. If they were using a proper (random) salt, and a strong hash, it's not that big of a deal. Does anyone have any idea how eBay hashes the passwords?

I'm not worried about it if they were doing something like:
UPDATE user SET password= ENCRYPT(password, CONCAT('$5$' , uuid(), '$')

Re:Hash algorithm? Static salt like eBay Japan? (1)

Lumpy (12016) | about 2 months ago | (#47056189)

They XOR your password against 1234567890

Re:Hash algorithm? Static salt like eBay Japan? (1)

Anonymous Coward | about 2 months ago | (#47056403)

I think less of an issue is the potential for people cracking the passwords, more to the point is all the personal information for 128 million ebay subscribers potentially having been stolen.

"The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth."

Good point (1)

raymorris (2726007) | about 2 months ago | (#47056661)

I kind of had tunnel vision there, didn't I. That comes from 17 yeas of focusing on protecting passwords for a living.

Personal online information (4, Insightful)

jtollefson (1675120) | about 2 months ago | (#47056057)

Just one more company giving one more reason why corporations should not be allowed to store personal information beyond what is absolutely necessary. Birthday would not necessarily need to be stored anyplace directly accessible, unless it was legally required but could instead be replaced by a flag for "above 13", "above 18", "above 21". If they absolutely needed to have the birthday for representation or audit purposes it could be stored in an offline version that could be brought online as needed.

In the end, efficiency was prioritized over the need to secure personally identifiable information (PII). eBay should not have stored so much PII in the same database, it should have been stored separately and linked on retrieval.

Sadly, security requirements being ignored or missed during design is a commonplace occurrence and they don't get fixed until something like this brings them to light.

Re:Personal online information (-1)

Anonymous Coward | about 2 months ago | (#47056115)

Birthday would not necessarily need to be stored anyplace directly accessible, unless it was legally required but could instead be replaced by a flag for "above 13", "above 18", "above 21". If they absolutely needed to have the birthday for representation or audit purposes it could be stored in an offline version that could be brought online as needed.

So if a 12 year old signs up, their account is forever restricted to being "under 13"? Or is your database system targeted at people who don't age? Or maybe you just didn't really think that one through....

Re:Personal online information (2)

jtollefson (1675120) | about 2 months ago | (#47056159)

I did, but, I guess I didn't feel that I needed to lay everything out. :) Folks aren't allowed to sign-up unless they're 13 or over, but, all you would need to do is have a weekly, or even a daily process that would synch those online flags with the actual offline birthday.

Re:Personal online information (1)

Obfuscant (592200) | about 2 months ago | (#47056971)

...but, all you would need to do is have a weekly, or even a daily process that would synch those online flags with the actual offline birthday.

I think I understand what you mean here, but could I just point out that if you have an automatic process that accesses actual birthday information then that information is online, too? If someone hacks an employee account and gets access to the name/etc database, why wouldn't they just copy the "actual birthday" information, too?

Re:Personal online information (1)

Obfuscant (592200) | about 2 months ago | (#47056723)

unless it was legally required but could instead be replaced by a flag for "above 13", "above 18", "above 21".

Tomorrow the law changes and requires a certain other age for certain activities. How do you convert a simple "above 13" flag into the new "above 17"?

And then, how do you know to change the "above 13" into "above 21" as appropriate unless you know when the birthday is? Do you just wait 8 years and do it automatically?

And finally, if you're giving anyone who doesn't need it your correct birthday, you're the one at fault, not them for asking.

Security: A+ + + + + + + + + + (1, Funny)

Anonymous Coward | about 2 months ago | (#47056069)

Would hack again!

Re:Security: A+ + + + + + + + + + (2)

TheGratefulNet (143330) | about 2 months ago | (#47056509)

item not as described. password salt was actually pepper!

Re:Security: A+ + + + + + + + + + (1)

mu51c10rd (187182) | about 2 months ago | (#47056761)

That's what happens when the starting bid on their customer database is $0.99...

people at eBay are losers... (2)

DECTerm (1982022) | about 2 months ago | (#47056099)

Seems the people at eBay are completely losers, thanx to slashdot I just had a chat with the support at the UK eBay, they confirmed that I should change my password for my own safety, but NO fucking reply why there is no announcement on the local (ie. UK) site. They just only know well to milk their customers (Paypal) too with their fees.

eBay is sitting pretty. (2)

140Mandak262Jamuna (970587) | about 2 months ago | (#47056167)

The top management of eBay is going, "OK, the hackers got in, stole the credentials, but what can they do with it? What good does it do to them? They got to sell it in eBay, right? It is in their own interest we stay afloat to provide them sheep for fleecing right? So we are likely to survive till I make bonus right? After we get our boni who cares what happens to the company? I should be able to find another company to wreck next year".

Anonymously Reporting (0)

Anonymous Coward | about 2 months ago | (#47056195)

Email Spam has been coming to my email preferenced through ebay with my username in the subject line for about a week or so. A lot of Costco and Walmart stuff that never used to show up. We will find you fucking hackers wherever you are.

This information wasn't available, anyway? (0)

Anonymous Coward | about 2 months ago | (#47056219)

I've used eBay for years, with a few clicks it's easy to find anyone's information (username, address, phone number, etc) - Sure, you can't just outright search for someone's profile with that information on there, but you can still very easily find information just a few clicks deep.

Next people will be up in arms over the Whois database having their addresses and phone numbers available to EVERYONE on the INTERNET!!!

NSA to blame ? (1)

Anonymous Coward | about 2 months ago | (#47056237)

I wonder if the attackers used a NSA backdoor ?

Password still not stored securely (2, Insightful)

anyaristow (1448609) | about 2 months ago | (#47056307)

The personal information screen shows me the length of my password, in asterisks. They wouldn't know how long my password is if they were storing it securely.

Correction: Password length NOT shown (4, Informative)

anyaristow (1448609) | about 2 months ago | (#47056387)

I was wrong. They are always showing eight asterisks. It's not the length of your password unless your password is eight characters.

Re:Password still not stored securely (1)

Anonymous Coward | about 2 months ago | (#47056425)

They can if they store the length of the password prior to hashing it. Still not the best practice, but perfectly plausible

Re:Password still not stored securely (1)

cdrudge (68377) | about 2 months ago | (#47056455)

Did your password just happen to have 8 characters? My previous was 7 and it showed 8 asterisks, and I just changed it to something much longer than 8 characters and it still shows 8 asterisks.

Why only partial encryption? (1)

Anonymous Coward | about 2 months ago | (#47056329)

Why do these companies repeatedly store only *some* of my personal information encrypted? I'm getting really tired of these people leaking my home address, phone number, email address, birthday, etc. That is all information that can be used to impersonate me and gain access to other accounts, etc. At the very least, it leads to piles of annoying SPAM.

The PCI standards (see https://www dot pcisecuritystandards dot org/ ) require that sensitive information, such as credit card numbers, be stored encrypted. I really wish the feds would just require that *all* personal information be treated as "sensitive" and appropriately encrypted, audited, etc.

Re:Why only partial encryption? (1)

NapalmV (1934294) | about 2 months ago | (#47056587)

Why do these companies repeatedly store only *some* of my personal information encrypted?

Because cowboy attitude. We just had here the story on the EU law about deleting older links to personal data from search engines. Where most US contributors insisted that this data is "facts" and it would be "free speech" to disseminate it as businesses see fit. Combine this with EULA practices where businesses (many in monopoly position) will not service you unless you agree that they collect your personal data and share it freely with various "partners". When such practice is questioned they always justify it through "it's good for the economy". Case closed. Unless we take the time to question what exactly "economy" is. But we never do.

Where's the outrage from the righteous activists? (0)

PseudoCoder (1642383) | about 2 months ago | (#47056341)

Still waiting to hear about how awful it is for cyber-attackers to go in and steal stuff that will enable further stealing from millions of users; you know, the working types who just want to buy and transact each day and go about their business.

"eBay's awful, PayPal's awful, blah blah blah. Guy Fawkes masks are cool, Marx and Che are cool, so is to sticking it to the corporations. Ha ha the companies should hire me because I know better than their dumb their security people doing dumb security stuff."

How many slashdotters worship all the cool haxxorz that keep causing losses in the millions and billions each year? And no standing up for the basic principle of not stealing. Ultimately that's the working man they're stealing from because a) identity theft hits everyone from the top to the bottom of the income scale, and b) the working man's 401k is staked on corporate profits.

Throw away password (1)

iONiUM (530420) | about 2 months ago | (#47056343)

As per my usual, my eBay account has all fake information and a throw-away password. eBay often tells me to make it stronger, but it's ironic, because had I of actually used a strong "normal" password (one of my strong ones I can remember), it would now have been possibly compromised.

I think this might be an argument for using crap usernames/passwords for sites you don't trust (which is most of them), because chances are, they're going to leak your information at some point.

Re:Throw away password (1)

Rob the Bold (788862) | about 2 months ago | (#47056589)

As per my usual, my eBay account has all fake information and a throw-away password.

I don't get it. Why? How do you buy or sell stuff with fake info? Of if you don't buy or sell stuff, why create a login at all? Can't one browse through listings all they want without an account?

Is there a link to the info (0)

Anonymous Coward | about 2 months ago | (#47056397)

I lost my paypall password years ago.
Maybe if I get the hash I can crack it myself.

Snowden? Is that you? (0)

Anonymous Coward | about 2 months ago | (#47056413)

Sounds like someone duped an employee into revealing their login/password; they might even have used a keylogger to capture it. Where have we heard that before?

Revert to cash? (1)

TigerPlish (174064) | about 2 months ago | (#47056439)

I already use cash if I can't eyeball the person swiping the card or swipe it myself.

Maybe we should go back to cash and checks.

I've been in IT since 1999 as a pro and 1982 as a hobbyist, and I give up -- The System cannot be trusted. NSA reading my crap, companies being negligent / careless / indifferent with private / financial data .. script kiddies and organized crims.. enough!

Re:Revert to cash? (0)

Anonymous Coward | about 2 months ago | (#47056523)

I already use cash if I can't eyeball the person swiping the card or swipe it myself.

Maybe we should go back to cash and checks.

I've been in IT since 1999 as a pro and 1982 as a hobbyist, and I give up -- The System cannot be trusted. NSA reading my crap, companies being negligent / careless / indifferent with private / financial data .. script kiddies and organized crims.. enough!

Checks are horribly insecure. With the front of one of your checks, someone can drain your bank account. This is why Donald Knuth stopped sending checks for bugs found in TeX.

123456 probably most used password (1)

lemur3 (997863) | about 2 months ago | (#47056569)

Whenever this happens I will now think of the Adobe password breach ... 130million accounts.

roughly 10% of those had "123456" as their password..

you can see the other top 99 herE: http://stricture-group.com/fil... [stricture-group.com] ..probably a good time to reconsider the re-use of passwords.. use a password vault....

Class Action (1)

ilikenwf (1139495) | about 2 months ago | (#47056617)

Who's with me?

Re:Class Action (1)

Rob the Bold (788862) | about 2 months ago | (#47056877)

Who's with me?

I'm in! Why not? I can't wait for that settlement when I get 47 cents off my next eBay invoice. Or 0.2% of my seller fees charged from July 1, 1998 to August 27th, 2004 refunded to my account if I have the documentation to prove it.

yet to be dropped shoe: paypal? (0)

Anonymous Coward | about 2 months ago | (#47056623)

I wonder just how much info an attacker could have obtained?

Security Token? (1)

NF6X (725054) | about 2 months ago | (#47056641)

eBay and PayPal used to offer security tokens to provide one-time PINs to be used at login. They were offered as either physical tokens or as smartphone apps. I just tried to look for them on the eBay and PayPal sites, but I no longer see any mention of them. Have they stopped supporting the tokens?

PayPal now just appears to offer something called PayPal Security Key in which they send OTPs via SMS, and I don't see anything like that on the eBay site.

I'm not worried (5, Funny)

Dishwasha (125561) | about 2 months ago | (#47056645)

I get emails from Ebay all the time recommending I change my password. They even provide a handy link in the email for me to click on.

Wait - what?! (5, Informative)

ripvlan (2609033) | about 2 months ago | (#47056789)

The hackers gained access to " name, [...], physical address, phone number and date of birth"

But they "did not [access] other confidential personal information"

What other personal information is there on the planet? Your name, address and DOB is pretty much everything needed for identify theft.

Okay - I guess they didn't get Health records. Seriously though - what "other confidential information" does eBay store?

Aw cripes, not again! (4, Funny)

marciot (598356) | about 2 months ago | (#47056999)

This is the THIRD time this month I've had to change my date of birth due to compromised website.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...