Forgot your password?
typodupeerror
Security

eBay Compromised 193

Posted by Unknown Lamer
from the ebay-passwords-show-up-in-ebay-auction dept.
New submitter bobsta22 (583801) writes "eBay has suffered a security compromise requiring them to have all users change their passwords. As yet only a press release. Lets hope there's more juice on this." From the press release: "Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said. ... The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago."
This discussion has been archived. No new comments can be posted.

eBay Compromised

Comments Filter:
  • by Imabug (2259) on Wednesday May 21, 2014 @10:14AM (#47055857) Homepage Journal

    what, no link to the press release?

    • by ZiakII (829432)
      what, no link to the press release?

      The press link [ebayinc.com] is in right in the summary.....
  • by AbbyNormal (216235) on Wednesday May 21, 2014 @10:14AM (#47055865) Homepage

    A major news story, about a ginormous compromise gets published on Slashdot and there is NO source or link?

  • How much you want to bet they have been sitting on this? Probably waited until X number of people were compromised and they couldn't cover it up any longer.

  • Things like this would not happen if security policies were in place to force password changes.
    • by radiumsoup (741987) on Wednesday May 21, 2014 @10:17AM (#47055901)

      yes, they would. keyloggers don't care how old your password is, nor does social engineering.

    • They probably also wouldn't happen if eBay used database systems with per-column access privileges. (Why should human accounts to any business software regularly need access to masses of encrypted password data?)
    • Re: (Score:3, Interesting)

      by Anonymous Coward

      Yes, it is very difficult when you know the previous password was "superman1" to guess what tomorrow's password will be. Or, if you got creative, if last month's password was "g0dOctober", I can only guess what November's password will be.

      After that, I just write it on a stick note for my monitor, cuz ain't nobody got time for your crazy password schemes.

  • by BaronM (122102) on Wednesday May 21, 2014 @10:17AM (#47055899)

    Got to love a major ecommerce vendor who can't even get THAT right!

    At some point, that has to count as negligence, and some sort of liability ought to attach.

  • by lazarus (2879) on Wednesday May 21, 2014 @10:24AM (#47055963) Journal

    So they didn't get payment information, but they got everything they needed to apply for credit in your name. Perfect. It took me an hour to buy my last laptop in a retail store with my credit card in my hand because my card company was so totally paranoid about fraud that they put me through the third degree to ensure I was who I said I was. And it's just going to get worse.

    At this rate cash will be king again. Oh no, wait, that can be fraudulent too. Essentially, it is getting impossible to spend your own money.

    • by oodaloop (1229816)

      Essentially, it is getting impossible to spend your own money.

      First of all, if you're using a credit card, it's not your money. You're borrowing from someone else. Second, WTF? Companies want to get paid, so spending money is only getting easier. NFCs, RFID keypasses, POS readers everywhere, even the vending machines take credit and debit cards now.

    • by drinkypoo (153816)

      At this rate cash will be king again. Oh no, wait, that can be fraudulent too. Essentially, it is getting impossible to spend your own money.

      I bought a car with cash. Later they tried to claim that I owed them more money for the registration, but that was bullshit so I didn't pay them anything. Since they didn't have access to any of my bank account etc information, they had to go fuck themselves. They didn't even do the brakes like they claimed they did, assholes.

  • by raymorris (2726007) on Wednesday May 21, 2014 @10:31AM (#47056039)

    If eBay US was using a static salt like eBay Japan was, this is a big deal. If they were using a proper (random) salt, and a strong hash, it's not that big of a deal. Does anyone have any idea how eBay hashes the passwords?

    I'm not worried about it if they were doing something like:
    UPDATE user SET password= ENCRYPT(password, CONCAT('$5$' , uuid(), '$')

    • by Lumpy (12016)

      They XOR your password against 1234567890

    • It's not particularly the strength of the hash that worries me, it's the speed of it. If they're using something like SHA256 - strong, but fast - then I'd be worried.

      • by raymorris (2726007) on Wednesday May 21, 2014 @01:10PM (#47057675)

        Let's assume they are using a good salt. With more than 64 bits of entropy, that means the bad guy has to crack one password at a time. That's critically important.

        Ebay currently requires that passwords have uppercase, lower case, and number or punctuation, so lets say a typical password is about 60 bits of entropy*. (That's a rough guess). So we have roughly 1 X 10^18 passwords to try.

        As I recall, crypt() defaults to 110,000 rounds, so we can crypt($5$) about 4,000,000 times per second.

        So how many seconds will it take to try all of the passwords?
        1 X 10^18 / 4 X 10^6 = 2.5 X 10^11 = 250,000,000,000 seconds
        On average, we'll need to try half of the passwords to get the right one, so we'll need 125,000,000,000 seconds.
        125,000,000,000 / 3600 = 34,722,222 hours
        34,722,222 / 24 = 1,446,759
        3963 years

        I'm happy with 3,963 years per password.

        That assumes 60 bits of entropy in the password - a decently good password. With a 50 bit password, it would be three years per password - still not too feasible for a Paypal password. A 40 bit password would fall in about 33 hours, if I did that bit of math right. That's still kind of high, but certainly doable - you just won't get very many people's passwords.

        It seems to me that when using good salt, so the bad guy has to attack one password a time, and a reasonably good password, SHA256 is definitely not too fast to be secure.

        • Well, I would dispute those calculations a bit, but I accept that good long per-account salting forces each password to be cracked individually. I assume that the salt is compromised along with the password (or they won't be cracked at all).

          Even randomly selected passwords from all alphanumeric characters only gives us about 6 bits of entropy per character. Most passwords are shorter than 10 characters, the average is more like 7. This only gives us 42 bits of entropy per password, assuming complete rando

          • On it's front page, oclHashcat says it can run sha256() 11 million (not billion) times per second on a GPU. That's reasonably close to what I get.

            crypt($5$) is 110,000 rounds of sha256(). Therefore, hashcat can run crypt($5$) 100 times per second.

            You thought "easily check over 10 billion hashes a second", hashcat's web page says 100 per second. Doing 110,000 rounds instead of one matters, and of course there's the little confusion between million and billion.

            • Hmmm... I got my performance stats from a different web site. But the performance table on oclHashcat's fron page says 11231M c/s for SHA256. That's eleven billion a second, admittedly using 8 GPUs, but in the ballpark of my original post.

              If crypt is iterating SHA256 110,000 times, that sounds fairly good. I've been looking at scrypt, which is explicitly designed to resist hardware based attacks.

              • Avoiding the word "billion" because it means different things in different countries ...

                > oclHashcat's fron page says 11231M c/s for SHA256

                Yes, I should get some sleep. Divide that by 110,000 rounds, you get 102,100 hashes ($5$) per second. A bit higher than 100, and a bit lower than 10 billion. For any definition of billion. :)

                Note my original calculation assumed 4 million hashes per second. With the oclHashcat numbers, we're looking at 160,000 years per password, for a reasonably good password.

                If the

        • I hadn't changed my eBay password since I created my account, circa 1998, and it was 8 characters long all lower case. Replaced it with something more robust.
        • I can't remember if ebay has security questions, but if it does, that could compromise your other accounts that also have security questions.
  • by jtollefson (1675120) on Wednesday May 21, 2014 @10:34AM (#47056057)
    Just one more company giving one more reason why corporations should not be allowed to store personal information beyond what is absolutely necessary. Birthday would not necessarily need to be stored anyplace directly accessible, unless it was legally required but could instead be replaced by a flag for "above 13", "above 18", "above 21". If they absolutely needed to have the birthday for representation or audit purposes it could be stored in an offline version that could be brought online as needed.

    In the end, efficiency was prioritized over the need to secure personally identifiable information (PII). eBay should not have stored so much PII in the same database, it should have been stored separately and linked on retrieval.

    Sadly, security requirements being ignored or missed during design is a commonplace occurrence and they don't get fixed until something like this brings them to light.
    • by Obfuscant (592200)

      unless it was legally required but could instead be replaced by a flag for "above 13", "above 18", "above 21".

      Tomorrow the law changes and requires a certain other age for certain activities. How do you convert a simple "above 13" flag into the new "above 17"?

      And then, how do you know to change the "above 13" into "above 21" as appropriate unless you know when the birthday is? Do you just wait 8 years and do it automatically?

      And finally, if you're giving anyone who doesn't need it your correct birthday, you're the one at fault, not them for asking.

  • Seems the people at eBay are completely losers, thanx to slashdot I just had a chat with the support at the UK eBay, they confirmed that I should change my password for my own safety, but NO fucking reply why there is no announcement on the local (ie. UK) site. They just only know well to milk their customers (Paypal) too with their fees.
  • by 140Mandak262Jamuna (970587) on Wednesday May 21, 2014 @10:46AM (#47056167) Journal
    The top management of eBay is going, "OK, the hackers got in, stole the credentials, but what can they do with it? What good does it do to them? They got to sell it in eBay, right? It is in their own interest we stay afloat to provide them sheep for fleecing right? So we are likely to survive till I make bonus right? After we get our boni who cares what happens to the company? I should be able to find another company to wreck next year".
  • by anyaristow (1448609) on Wednesday May 21, 2014 @11:03AM (#47056307)

    The personal information screen shows me the length of my password, in asterisks. They wouldn't know how long my password is if they were storing it securely.

  • As per my usual, my eBay account has all fake information and a throw-away password. eBay often tells me to make it stronger, but it's ironic, because had I of actually used a strong "normal" password (one of my strong ones I can remember), it would now have been possibly compromised.

    I think this might be an argument for using crap usernames/passwords for sites you don't trust (which is most of them), because chances are, they're going to leak your information at some point.

    • As per my usual, my eBay account has all fake information and a throw-away password.

      I don't get it. Why? How do you buy or sell stuff with fake info? Of if you don't buy or sell stuff, why create a login at all? Can't one browse through listings all they want without an account?

  • I already use cash if I can't eyeball the person swiping the card or swipe it myself.

    Maybe we should go back to cash and checks.

    I've been in IT since 1999 as a pro and 1982 as a hobbyist, and I give up -- The System cannot be trusted. NSA reading my crap, companies being negligent / careless / indifferent with private / financial data .. script kiddies and organized crims.. enough!

  • Whenever this happens I will now think of the Adobe password breach ... 130million accounts.

    roughly 10% of those had "123456" as their password..

    you can see the other top 99 herE: http://stricture-group.com/fil... [stricture-group.com] ..probably a good time to reconsider the re-use of passwords.. use a password vault....

  • Who's with me?
    • Who's with me?

      I'm in! Why not? I can't wait for that settlement when I get 47 cents off my next eBay invoice. Or 0.2% of my seller fees charged from July 1, 1998 to August 27th, 2004 refunded to my account if I have the documentation to prove it.

  • eBay and PayPal used to offer security tokens to provide one-time PINs to be used at login. They were offered as either physical tokens or as smartphone apps. I just tried to look for them on the eBay and PayPal sites, but I no longer see any mention of them. Have they stopped supporting the tokens?

    PayPal now just appears to offer something called PayPal Security Key in which they send OTPs via SMS, and I don't see anything like that on the eBay site.

  • by Dishwasha (125561) on Wednesday May 21, 2014 @11:35AM (#47056645)

    I get emails from Ebay all the time recommending I change my password. They even provide a handy link in the email for me to click on.

    • by k6mfw (1182893)
      so do I, and every major bank including ones I don't have accounts with! with all kidding aside some of these spoof sites are pretty impressive, until you see what domain they actually point to. Scary thing is many people don't at bottom of window to see what URL (or worse the browser has this option turned off).
  • Wait - what?! (Score:5, Informative)

    by ripvlan (2609033) on Wednesday May 21, 2014 @11:47AM (#47056789)

    The hackers gained access to " name, [...], physical address, phone number and date of birth"

    But they "did not [access] other confidential personal information"

    What other personal information is there on the planet? Your name, address and DOB is pretty much everything needed for identify theft.

    Okay - I guess they didn't get Health records. Seriously though - what "other confidential information" does eBay store?

  • by marciot (598356) on Wednesday May 21, 2014 @12:05PM (#47056999)

    This is the THIRD time this month I've had to change my date of birth due to compromised website.

    • That's nothing. This is the third time this month I've had to get a finger transplant due to compromised biometrics.

  • Password: now changed.
    Date of birth: changed, new birth certificate acquired.
    Home address: moving house tomorrow.

  • by Rinikusu (28164) on Wednesday May 21, 2014 @12:34PM (#47057323)

    And ebay wants me to type in my full credit card/bank account information to verify my identity. No, this doesn't look like a phishing attempt at all. Even if it's legit, it's bad form.

  • by Optic7 (688717) on Wednesday May 21, 2014 @01:46PM (#47058031)

    I'm getting so tired of these. It seems like every few months now I'm getting affected by one. Last year my bank replaced my debit card three times (Adobe breach, Target breach, and who knows what the third one was)! Consequently, I'm no longer using my debit card as a debit card, but only at ATMs. I use my credit card for any card-based purchases now. But it doesn't stop. You name it: zappos breach, dropbox breach, a breach at an old community college I attended years ago, and probably others that I've forgotten about in the last year or two. Fuck me running.

    By the way, the stories about this breach claim that no financial data was compromised. That's fine, except that the data that was compromised may be used for identity theft: your name, date of birth, and street address. I'm pretty much getting ready to use the option that the credit reporting agencies offer to lock down my credit so that no one can obtain credit in my name without me unlocking it. It's a pain, but I don't think it's a choice anymore at the rate these breaches are going.

    • I'm getting so tired of these. It seems like every few months now I'm getting affected by one. Last year my bank replaced my debit card three times (Adobe breach, Target breach, and who knows what the third one was)! Consequently, I'm no longer using my debit card as a debit card, but only at ATMs. I use my credit card for any card-based purchases now. But it doesn't stop. You name it: zappos breach, dropbox breach, a breach at an old community college I attended years ago, and probably others that I've forgotten about in the last year or two. Fuck me running.

      By the way, the stories about this breach claim that no financial data was compromised. That's fine, except that the data that was compromised may be used for identity theft: your name, date of birth, and street address. I'm pretty much getting ready to use the option that the credit reporting agencies offer to lock down my credit so that no one can obtain credit in my name without me unlocking it. It's a pain, but I don't think it's a choice anymore at the rate these breaches are going.

      One thing I've done for a while now is use Citicards' Virtual Account Number service for any online credit card purchases. It generates a unique number that can be used one time (sorta - if the purchase has multiple stages like Amazon does for example, the retailer can place several charges) by one retailer. It's a bit of trouble, but I don't have to concern myself that a compromise at one business will cause me to have to replace the card. Plus, if a compromise ever happens, it'll be immediately apparent w

      • by Optic7 (688717)

        Thanks for the idea, and I'll check if my bank offers something similar for my credit card. But I'm going to stick with credit cards from now on. I realize now that there's a reason why banks seem to try to push us to use debit cards every change they get.

        Here's an article describing why:
        http://www.consumerreports.org... [consumerreports.org]

        I say screw them, at least until they pull their heads out of their asses and give us secure cards (chip and pin).

  • It's nice that "no financial information" got compromised, but with my name, address, and date of birth, the crackers won't have any trouble accessing credit in my name. Sigh. Looks like I'm going to have to activate credit monitoring. If eBay has any sense, it'll offer that service for free for everyone whose data was vulnerable.
  • So the password I was using had 113 bits of entropy. Does anyone know the likelihood this can be cracked?

    Or is it pretty safe given that most people will have easier to break passwords?

  • Accounts' passwords expired and have to be changed. :/

  • Tried to change my ebay password and got this:

    Page not available
    Ebay is asking its users to reset their passwords due to the unauthorized access to our corporate information network. This may result in a delay of service due to the high traffic volume. We ask for your patience and that you return to eBay soon. In the meantime, please be assured that no activity can occur on your account until your password is reset.

One man's constant is another man's variable. -- A.J. Perlis

Working...