eBay Compromised

New submitter bobsta22 (583801) writes "eBay has suffered a security compromise requiring them to have all users change their passwords. As yet only a press release. Lets hope there's more juice on this." From the press release: "Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said. ... The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago."

Re:Wow, pasword security policy fail

[radiumsoup]

yes, they would. keyloggers don't care how old your password is, nor does social engineering.

And Everything Just Get's More Inconvenient

[lazarus]

So they didn't get payment information, but they got everything they needed to apply for credit in your name. Perfect. It took me an hour to buy my last laptop in a retail store with my credit card in my hand because my card company was so totally paranoid about fraud that they put me through the third degree to ensure I was who I said I was. And it's just going to get worse.

At this rate cash will be king again. Oh no, wait, that can be fraudulent too. Essentially, it is getting impossible to spend your own money.

Personal online information

[jtollefson]

Just one more company giving one more reason why corporations should not be allowed to store personal information beyond what is absolutely necessary. Birthday would not necessarily need to be stored anyplace directly accessible, unless it was legally required but could instead be replaced by a flag for "above 13", "above 18", "above 21". If they absolutely needed to have the birthday for representation or audit purposes it could be stored in an offline version that could be brought online as needed.

In the end, efficiency was prioritized over the need to secure personally identifiable information (PII). eBay should not have stored so much PII in the same database, it should have been stored separately and linked on retrieval.

Sadly, security requirements being ignored or missed during design is a commonplace occurrence and they don't get fixed until something like this brings them to light.

Re:Wow, pasword security policy fail

[Tridus]

Are you an ebay employee? It was employee accounts that were compromised.

Re:Wow, pasword security policy fail

[Anonymous Coward]

Working for another large company that enforces a password change policy, i can tell you that it leads to less secure passwords.

In a survey around the office, ~90% of the people admitted that since the policy got put in place they use a short capitalized word and either an incrementing number or the current month/year at the end.

Re:link?

[Anonymous Coward]

Wow, I realize he's using big words, but you understand what "later today" means, right? So, of course there are no alerts in your account. Reading is hard.

Re:link?

[Jeff Flanagan]

You seem badly broken retech. Your posts indicate that you mistakenly believe that this is some kind of hoax, and you called a person who pointed out your error an asshole. It's clear that someone here is an asshole, but it isn't ziakll.

Password still not stored securely

[anyaristow]

The personal information screen shows me the length of my password, in asterisks. They wouldn't know how long my password is if they were storing it securely.