eBay Compromised 193
New submitter bobsta22 (583801) writes "eBay has suffered a security compromise requiring them to have all users change their passwords. As yet only a press release. Lets hope there's more juice on this."
From the press release: "Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said. ... The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago."
Re:Wow, pasword security policy fail (Score:4, Insightful)
yes, they would. keyloggers don't care how old your password is, nor does social engineering.
And Everything Just Get's More Inconvenient (Score:4, Insightful)
So they didn't get payment information, but they got everything they needed to apply for credit in your name. Perfect. It took me an hour to buy my last laptop in a retail store with my credit card in my hand because my card company was so totally paranoid about fraud that they put me through the third degree to ensure I was who I said I was. And it's just going to get worse.
At this rate cash will be king again. Oh no, wait, that can be fraudulent too. Essentially, it is getting impossible to spend your own money.
Personal online information (Score:4, Insightful)
In the end, efficiency was prioritized over the need to secure personally identifiable information (PII). eBay should not have stored so much PII in the same database, it should have been stored separately and linked on retrieval.
Sadly, security requirements being ignored or missed during design is a commonplace occurrence and they don't get fixed until something like this brings them to light.
Re:Wow, pasword security policy fail (Score:2, Insightful)
Are you an ebay employee? It was employee accounts that were compromised.
Re:Wow, pasword security policy fail (Score:3, Insightful)
Working for another large company that enforces a password change policy, i can tell you that it leads to less secure passwords.
In a survey around the office, ~90% of the people admitted that since the policy got put in place they use a short capitalized word and either an incrementing number or the current month/year at the end.
Re:link? (Score:2, Insightful)
Re:link? (Score:4, Insightful)
Password still not stored securely (Score:3, Insightful)
The personal information screen shows me the length of my password, in asterisks. They wouldn't know how long my password is if they were storing it securely.