eBay Compromised

New submitter bobsta22 (583801) writes "eBay has suffered a security compromise requiring them to have all users change their passwords. As yet only a press release. Lets hope there's more juice on this." From the press release: "Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said. ... The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago."

link?

[Imabug]

what, no link to the press release?

Re:

[ZiakII]

what, no link to the press release?

The press link [ebayinc.com] is in right in the summary.....

Re:

[Imabug]

ahh, there it is now. wasn't there when i first looked at the story

Re:link?

[ZiakII]

Better yet, just logged into my ebay acct. and there's NOTHING in the communications there either.

Slashdot, now with less actual news and information, but nearly 100% sensational!

I understand reading is hard so I highlighted the important parts for you.

eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data.

The law says 7 days

[emil]

Are they following the required procedures in each jurisdiction?

http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx [ncsl.org]

These laws seem both plentiful, varied and complex. I hope their coporate legal department wasn't planning on sleep for a few months.

Re:

[TechyImmigrant]

Better yet. I just logged in and I cannot find where to change my password.

Re:

[TechyImmigrant]

OK. I found it on the third go round, behind the locked door with the sign saying "beware of the leopard".
 

Re:

[GNious]

Logged into eBay, in a foreign language (and not English), and found it trivially :)

Re:

[Curunir_wolf]

Better yet. I just logged in and I cannot find where to change my password.

See where it says "Hi, [yourname]!" at the top left? Click it, then Account Settings -> Personal Information -> "Edit" on the Password line.

There, was that so hard?

Re:

[TechyImmigrant]

Well I looked many places and found that after the third go round. Not hard, but not obvious.

Re:

[Curunir_wolf]

Well I looked many places and found that after the third go round. Not hard, but not obvious.

I definitely agree that it's pretty buried for such an important function.

Re:

[PrimaryConsult]

It's at least more obvious than changing a gmail password nowadays... at least ebay has your name, indicating that clicking there may be vaguely related to your account. Gmail I had to click on a silouette, then something account sounding, then finally a "security" tab. Forget buried, you need an archaeologist to find that one...

Re:

[x_t0ken_407]

Agreed...took me going through a few menus to actually find it. One would think it'd be more intuitive.

Re:

[Geoffrey.landis]

Better yet. I just logged in and I cannot find where to change my password.

See where it says "Hi, [yourname]!" at the top left? Click it, then Account Settings -> Personal Information -> "Edit" on the Password line.There, was that so hard?

Yes. That's a stupid place to hide it. Clicking "Hi [username]" is not an obvious place to look-- to me, this counts as "hide this menu item as far away from the user as possible". I did in fact find it, but "just keep clicking menu and submenu and sub-submenu items at random and eventually you'll get there" is not really a good user interface strategy. (although it seems to be a very common user interface strategy).

Re:

[airdweller]

...Grandma? ;)

Re:

[TechyImmigrant]

Not until the sex change.

Re:

[Anonymous Coward]

Wow, I realize he's using big words, but you understand what "later today" means, right? So, of course there are no alerts in your account. Reading is hard.

Re:link?

[Jeff Flanagan]

You seem badly broken retech. Your posts indicate that you mistakenly believe that this is some kind of hoax, and you called a person who pointed out your error an asshole. It's clear that someone here is an asshole, but it isn't ziakll.

Re:

[twdorris]

This retech user has provided advice in his signature as to how to best respond to his posts.

Re:

[Rob the Bold]

As I stated, NO ALERTS in my account. So perhaps you should learn to read. Since you missed the major portion of what I wrote.

So you can read stuff from the future, but instead of checking lottery results or the Daily Racing Form, you're reading your eBay messages?

Stealth notification

[Geoffrey.landis]

just logged into my ebay acct. and there's NOTHING in the communications there either.

Yes, I just logged on and don't see anything on their login page. Odd; you'd think that this would be the first place they'd put a note.

It's also very obscure how to change your e-bay password. You can do it... but it's buried way down in menus inside menus.

Maybe they're waiting until they can rewrite their login page to put the "change password" menu somewhere that an average user can actually FIND it.

Re:

[master_kaos]

Something this major would have to be routed through legal. This is not a quick nor easy process. Second, I assume they would also need to get it translated into various language, again not quick nor easy.

Re:

[k6mfw]

user alerts will begin __LATER_TODAY__. That means that alerts would not have begun prior to you checking your account __EARLIER_TODAY__.

Again: Later today.

though risking karma getting into this fray, I must ask why LATER? If ebay knows problem occurred, they should send out notice immediately instead letting the forums run wild (if I see lots of stuff on forums but nothing from ebay then I would think it is a hoax. There's lots of similar crap on forums). Not all ebay users read slashdot, cnet, reddit, or ebayinc.

Re:

[Simon Brooke]

I suspect because the part of their system which changes passwords is seriously overloaded. I'm trying to change mine, but so far can't even get the page to load.

So...

[AbbyNormal]

A major news story, about a ginormous compromise gets published on Slashdot and there is NO source or link?

CNN now has the story

[Michael Meissner]

http://money.cnn.com/2014/05/2... [cnn.com]

Re:So...

[MightyMartian]

Wait for the dupes.

Since February and just now hearing about it?!

[sbrown123]

How much you want to bet they have been sitting on this? Probably waited until X number of people were compromised and they couldn't cover it up any longer.

Re:Since February and just now hearing about it?!

[Sockatume]

That's a dangerous game. There's a legal precedent that they could be fined as much as one hundred thousand pounds in UK court for data protection breaches. It could take them days to find that much money in the sofa.

Re:Since February and just now hearing about it?!

[WWJohnBrowningDo]

What probably happened is that they got compromised, and then whoever compromised it tried to sell the account information to the highest bidder.

"3 Million Stolen Ebay Accounts BNIB FREE SHIPPING NR US SELLER L@@K"

Wow, pasword security policy fail

[anolisporcatus]

Things like this would not happen if security policies were in place to force password changes.

Re:Wow, pasword security policy fail

[radiumsoup]

yes, they would. keyloggers don't care how old your password is, nor does social engineering.

Re:

[K. S. Kyosuke]

They probably also wouldn't happen if eBay used database systems with per-column access privileges. (Why should human accounts to any business software regularly need access to masses of encrypted password data?)

Re:

[Anonymous Coward]

Yes, it is very difficult when you know the previous password was "superman1" to guess what tomorrow's password will be. Or, if you got creative, if last month's password was "g0dOctober", I can only guess what November's password will be.

After that, I just write it on a stick note for my monitor, cuz ain't nobody got time for your crazy password schemes.

Password on cardboard in your wallet

[tepples]

It's OK to write down your password [schneier.com]. Just keep the card in your wallet instead of on your monitor. You probably already keep a piece of plastic with your credit card number on it in the same wallet anyway.

Re:

[bluegutang]

Better yet, write down most of your password and memorize the rest. Just a few extra letters (it can be the same for every site) will defeat the average pickpocket who obtains your wallet. Meanwhile, the written-down part of the password, which should be different for every site, can be long enough to defeat electronic attacks.

Re:

[Anonymous Coward]

Working for another large company that enforces a password change policy, i can tell you that it leads to less secure passwords.

In a survey around the office, ~90% of the people admitted that since the policy got put in place they use a short capitalized word and either an incrementing number or the current month/year at the end.

Re:

[Tridus]

Are you an ebay employee? It was employee accounts that were compromised.

Not even storing hashes?!

[BaronM]

Got to love a major ecommerce vendor who can't even get THAT right!

At some point, that has to count as negligence, and some sort of liability ought to attach.

And Everything Just Get's More Inconvenient

[lazarus]

So they didn't get payment information, but they got everything they needed to apply for credit in your name. Perfect. It took me an hour to buy my last laptop in a retail store with my credit card in my hand because my card company was so totally paranoid about fraud that they put me through the third degree to ensure I was who I said I was. And it's just going to get worse.

At this rate cash will be king again. Oh no, wait, that can be fraudulent too. Essentially, it is getting impossible to spend your own money.

Re:

[oodaloop]

Essentially, it is getting impossible to spend your own money.

First of all, if you're using a credit card, it's not your money. You're borrowing from someone else. Second, WTF? Companies want to get paid, so spending money is only getting easier. NFCs, RFID keypasses, POS readers everywhere, even the vending machines take credit and debit cards now.

Re:

[drinkypoo]

At this rate cash will be king again. Oh no, wait, that can be fraudulent too. Essentially, it is getting impossible to spend your own money.

I bought a car with cash. Later they tried to claim that I owed them more money for the registration, but that was bullshit so I didn't pay them anything. Since they didn't have access to any of my bank account etc information, they had to go fuck themselves. They didn't even do the brakes like they claimed they did, assholes.

Re:

[jabuzz]

I have not noticed date of birth being in the phone book. It actually bothers me that companies such as eBay think that they need or should even ask for a date of birth. All they need to know is that I am over 18, then piss off with the intrusive data gathering.

Re:

[Obfuscant]

It actually bothers me that companies such as eBay think that they need or should even ask for a date of birth.

They need to ask because of those quaint things known as laws created by lots of different places they operate in. Those laws differ as to what ages people must be to do certain things, or what companies can do.

All they need to know is that I am over 18,

So when do you change to "over 21" so you can do the things that you need to be 21 to do? Or do you just want to be "over 18" for the rest of your life and will you be upset when you can't do the things adults can do on their site?

If all you want to be is "over 18", give them a fake birthday that

Re:

[MrL0G1C]

D.O.B. should never be used for security as it is public record.

My bank uses it as a security question!! Fucking idiots.

Normally I make up a D.O.B. and stick it in passwordsafe with other info, my pet dog 86igwsv3fmyqeu agrees that this is a good idea, so does my girlfriend who I met in Antares!

Hash algorithm? Static salt like eBay Japan?

[raymorris]

If eBay US was using a static salt like eBay Japan was, this is a big deal. If they were using a proper (random) salt, and a strong hash, it's not that big of a deal. Does anyone have any idea how eBay hashes the passwords?

I'm not worried about it if they were doing something like:
UPDATE user SET password= ENCRYPT(password, CONCAT('$5$' , uuid(), '$')

Re:

[Lumpy]

They XOR your password against 1234567890

Re:

[mattpalmer1086]

It's not particularly the strength of the hash that worries me, it's the speed of it. If they're using something like SHA256 - strong, but fast - then I'd be worried.

3,963 years per password

[raymorris]

Let's assume they are using a good salt. With more than 64 bits of entropy, that means the bad guy has to crack one password at a time. That's critically important.

Ebay currently requires that passwords have uppercase, lower case, and number or punctuation, so lets say a typical password is about 60 bits of entropy*. (That's a rough guess). So we have roughly 1 X 10^18 passwords to try.

As I recall, crypt() defaults to 110,000 rounds, so we can crypt($5$) about 4,000,000 times per second.

So how many seconds will it take to try all of the passwords?
1 X 10^18 / 4 X 10^6 = 2.5 X 10^11 = 250,000,000,000 seconds
On average, we'll need to try half of the passwords to get the right one, so we'll need 125,000,000,000 seconds.
125,000,000,000 / 3600 = 34,722,222 hours
34,722,222 / 24 = 1,446,759
3963 years

I'm happy with 3,963 years per password.

That assumes 60 bits of entropy in the password - a decently good password. With a 50 bit password, it would be three years per password - still not too feasible for a Paypal password. A 40 bit password would fall in about 33 hours, if I did that bit of math right. That's still kind of high, but certainly doable - you just won't get very many people's passwords.

It seems to me that when using good salt, so the bad guy has to attack one password a time, and a reasonably good password, SHA256 is definitely not too fast to be secure.

Re:

[mattpalmer1086]

Well, I would dispute those calculations a bit, but I accept that good long per-account salting forces each password to be cracked individually. I assume that the salt is compromised along with the password (or they won't be cracked at all).

Even randomly selected passwords from all alphanumeric characters only gives us about 6 bits of entropy per character. Most passwords are shorter than 10 characters, the average is more like 7. This only gives us 42 bits of entropy per password, assuming complete rando

Would be 100 million as fast as hashcat claims

[raymorris]

On it's front page, oclHashcat says it can run sha256() 11 million (not billion) times per second on a GPU. That's reasonably close to what I get.

crypt($5$) is 110,000 rounds of sha256(). Therefore, hashcat can run crypt($5$) 100 times per second.

You thought "easily check over 10 billion hashes a second", hashcat's web page says 100 per second. Doing 110,000 rounds instead of one matters, and of course there's the little confusion between million and billion.

Re:

[mattpalmer1086]

Hmmm... I got my performance stats from a different web site. But the performance table on oclHashcat's fron page says 11231M c/s for SHA256. That's eleven billion a second, admittedly using 8 GPUs, but in the ballpark of my original post.

If crypt is iterating SHA256 110,000 times, that sounds fairly good. I've been looking at scrypt, which is explicitly designed to resist hardware based attacks.

So 40X slower than I originally said

[raymorris]

Avoiding the word "billion" because it means different things in different countries ...

> oclHashcat's fron page says 11231M c/s for SHA256

Yes, I should get some sleep. Divide that by 110,000 rounds, you get 102,100 hashes ($5$) per second. A bit higher than 100, and a bit lower than 10 billion. For any definition of billion. :)

Note my original calculation assumed 4 million hashes per second. With the oclHashcat numbers, we're looking at 160,000 years per password, for a reasonably good password.

If the

Legacy Passwords

[glennrrr]

I hadn't changed my eBay password since I created my account, circa 1998, and it was 8 characters long all lower case. Replaced it with something more robust.

Re:Security Questions

[DocSavage64109]

I can't remember if ebay has security questions, but if it does, that could compromise your other accounts that also have security questions.

Good point

[raymorris]

I kind of had tunnel vision there, didn't I. That comes from 17 yeas of focusing on protecting passwords for a living.

Re:

[the eric conspiracy]

My phone number is unlisted, you insensitive clod.

Personal online information

[jtollefson]

Just one more company giving one more reason why corporations should not be allowed to store personal information beyond what is absolutely necessary. Birthday would not necessarily need to be stored anyplace directly accessible, unless it was legally required but could instead be replaced by a flag for "above 13", "above 18", "above 21". If they absolutely needed to have the birthday for representation or audit purposes it could be stored in an offline version that could be brought online as needed.

In the end, efficiency was prioritized over the need to secure personally identifiable information (PII). eBay should not have stored so much PII in the same database, it should have been stored separately and linked on retrieval.

Sadly, security requirements being ignored or missed during design is a commonplace occurrence and they don't get fixed until something like this brings them to light.

Re:

[Obfuscant]

unless it was legally required but could instead be replaced by a flag for "above 13", "above 18", "above 21".

Tomorrow the law changes and requires a certain other age for certain activities. How do you convert a simple "above 13" flag into the new "above 17"?

And then, how do you know to change the "above 13" into "above 21" as appropriate unless you know when the birthday is? Do you just wait 8 years and do it automatically?

And finally, if you're giving anyone who doesn't need it your correct birthday, you're the one at fault, not them for asking.

Re:

[jtollefson]

I did, but, I guess I didn't feel that I needed to lay everything out. :) Folks aren't allowed to sign-up unless they're 13 or over, but, all you would need to do is have a weekly, or even a daily process that would synch those online flags with the actual offline birthday.

Re:

[Obfuscant]

...but, all you would need to do is have a weekly, or even a daily process that would synch those online flags with the actual offline birthday.

I think I understand what you mean here, but could I just point out that if you have an automatic process that accesses actual birthday information then that information is online, too? If someone hacks an employee account and gets access to the name/etc database, why wouldn't they just copy the "actual birthday" information, too?

Re:

[account_deleted]

Comment removed based on user account deletion

eBay is sitting pretty.

[140Mandak262Jamuna]

The top management of eBay is going, "OK, the hackers got in, stole the credentials, but what can they do with it? What good does it do to them? They got to sell it in eBay, right? It is in their own interest we stay afloat to provide them sheep for fleecing right? So we are likely to survive till I make bonus right? After we get our boni who cares what happens to the company? I should be able to find another company to wreck next year".

Password still not stored securely

[anyaristow]

The personal information screen shows me the length of my password, in asterisks. They wouldn't know how long my password is if they were storing it securely.

Correction: Password length NOT shown

[anyaristow]

I was wrong. They are always showing eight asterisks. It's not the length of your password unless your password is eight characters.

Re:

[Bob9113]

Thanks for the update, diligent and forthright to do so.

Re:

[Alex Kasa]

Thanks! I can narrow down my attack on your account to 3.2451855365842673e+32 possibilities :)

Re:

[dfsmith]

My password is 8 asterisks. Are they showing you my password? What gives with these clowns!

Re:

[cdrudge]

Did your password just happen to have 8 characters? My previous was 7 and it showed 8 asterisks, and I just changed it to something much longer than 8 characters and it still shows 8 asterisks.

Throw away password

[iONiUM]

As per my usual, my eBay account has all fake information and a throw-away password. eBay often tells me to make it stronger, but it's ironic, because had I of actually used a strong "normal" password (one of my strong ones I can remember), it would now have been possibly compromised.

I think this might be an argument for using crap usernames/passwords for sites you don't trust (which is most of them), because chances are, they're going to leak your information at some point.

Re:

[Rob the Bold]

As per my usual, my eBay account has all fake information and a throw-away password.

I don't get it. Why? How do you buy or sell stuff with fake info? Of if you don't buy or sell stuff, why create a login at all? Can't one browse through listings all they want without an account?

Revert to cash?

[TigerPlish]

I already use cash if I can't eyeball the person swiping the card or swipe it myself.

Maybe we should go back to cash and checks.

I've been in IT since 1999 as a pro and 1982 as a hobbyist, and I give up -- The System cannot be trusted. NSA reading my crap, companies being negligent / careless / indifferent with private / financial data .. script kiddies and organized crims.. enough!

123456 probably most used password

[lemur3]

Whenever this happens I will now think of the Adobe password breach ... 130million accounts.

roughly 10% of those had "123456" as their password..

you can see the other top 99 herE: http://stricture-group.com/fil... [stricture-group.com] ..probably a good time to reconsider the re-use of passwords.. use a password vault....

Class Action

[ilikenwf]

Who's with me?

Re:

[Rob the Bold]

Who's with me?

I'm in! Why not? I can't wait for that settlement when I get 47 cents off my next eBay invoice. Or 0.2% of my seller fees charged from July 1, 1998 to August 27th, 2004 refunded to my account if I have the documentation to prove it.

Security Token?

[__aajfby9338]

eBay and PayPal used to offer security tokens to provide one-time PINs to be used at login. They were offered as either physical tokens or as smartphone apps. I just tried to look for them on the eBay and PayPal sites, but I no longer see any mention of them. Have they stopped supporting the tokens?

PayPal now just appears to offer something called PayPal Security Key in which they send OTPs via SMS, and I don't see anything like that on the eBay site.

Re:

[ilikenwf]

https://www.paypal.com/us/cgi-... [paypal.com]

Re:

[__aajfby9338]

https://www.paypal.com/us/cgi-... [paypal.com]

Thank you.

I'm not worried

[Dishwasha]

I get emails from Ebay all the time recommending I change my password. They even provide a handy link in the email for me to click on.

Re:

[k6mfw]

so do I, and every major bank including ones I don't have accounts with! with all kidding aside some of these spoof sites are pretty impressive, until you see what domain they actually point to. Scary thing is many people don't at bottom of window to see what URL (or worse the browser has this option turned off).

Wait - what?!

[ripvlan]

The hackers gained access to " name, [...], physical address, phone number and date of birth"

But they "did not [access] other confidential personal information"

What other personal information is there on the planet? Your name, address and DOB is pretty much everything needed for identify theft.

Okay - I guess they didn't get Health records. Seriously though - what "other confidential information" does eBay store?

Aw cripes, not again!

[marciot]

This is the THIRD time this month I've had to change my date of birth due to compromised website.

Re:

[bluegutang]

That's nothing. This is the third time this month I've had to get a finger transplant due to compromised biometrics.

Right, everything changed ;-)

[daveewart]

Password: now changed.
Date of birth: changed, new birth certificate acquired.
Home address: moving house tomorrow.

So I went to change the password

[Rinikusu]

And ebay wants me to type in my full credit card/bank account information to verify my identity. No, this doesn't look like a phishing attempt at all. Even if it's legit, it's bad form.

Re:

[the eric conspiracy]

Really? I only had to supply my old password.

I've had it with these motherfucking breaches!

[Optic7]

I'm getting so tired of these. It seems like every few months now I'm getting affected by one. Last year my bank replaced my debit card three times (Adobe breach, Target breach, and who knows what the third one was)! Consequently, I'm no longer using my debit card as a debit card, but only at ATMs. I use my credit card for any card-based purchases now. But it doesn't stop. You name it: zappos breach, dropbox breach, a breach at an old community college I attended years ago, and probably others that I've forgotten about in the last year or two. Fuck me running.

By the way, the stories about this breach claim that no financial data was compromised. That's fine, except that the data that was compromised may be used for identity theft: your name, date of birth, and street address. I'm pretty much getting ready to use the option that the credit reporting agencies offer to lock down my credit so that no one can obtain credit in my name without me unlocking it. It's a pain, but I don't think it's a choice anymore at the rate these breaches are going.

Re:

[John Jorsett]

I'm getting so tired of these. It seems like every few months now I'm getting affected by one. Last year my bank replaced my debit card three times (Adobe breach, Target breach, and who knows what the third one was)! Consequently, I'm no longer using my debit card as a debit card, but only at ATMs. I use my credit card for any card-based purchases now. But it doesn't stop. You name it: zappos breach, dropbox breach, a breach at an old community college I attended years ago, and probably others that I've forgotten about in the last year or two. Fuck me running.

By the way, the stories about this breach claim that no financial data was compromised. That's fine, except that the data that was compromised may be used for identity theft: your name, date of birth, and street address. I'm pretty much getting ready to use the option that the credit reporting agencies offer to lock down my credit so that no one can obtain credit in my name without me unlocking it. It's a pain, but I don't think it's a choice anymore at the rate these breaches are going.

One thing I've done for a while now is use Citicards' Virtual Account Number service for any online credit card purchases. It generates a unique number that can be used one time (sorta - if the purchase has multiple stages like Amazon does for example, the retailer can place several charges) by one retailer. It's a bit of trouble, but I don't have to concern myself that a compromise at one business will cause me to have to replace the card. Plus, if a compromise ever happens, it'll be immediately apparent w

Re:

[Optic7]

Thanks for the idea, and I'll check if my bank offers something similar for my credit card. But I'm going to stick with credit cards from now on. I realize now that there's a reason why banks seem to try to push us to use debit cards every change they get.

Here's an article describing why:
http://www.consumerreports.org... [consumerreports.org]

I say screw them, at least until they pull their heads out of their asses and give us secure cards (chip and pin).

Great, now I need credit monitoring

[John Jorsett]

It's nice that "no financial information" got compromised, but with my name, address, and date of birth, the crackers won't have any trouble accessing credit in my name. Sigh. Looks like I'm going to have to activate credit monitoring. If eBay has any sense, it'll offer that service for free for everyone whose data was vulnerable.

113 bits

[the eric conspiracy]

So the password I was using had 113 bits of entropy. Does anyone know the likelihood this can be cracked?

Or is it pretty safe given that most people will have easier to break passwords?

Re:

[dfsmith]

Just post your new password on /. and we'll figure this out for you. B-)

SourceForge too!

[antdude]

Accounts' passwords expired and have to be changed. :/

Ebay overloaded

[zwede]

Tried to change my ebay password and got this:

Page not available
Ebay is asking its users to reset their passwords due to the unauthorized access to our corporate information network. This may result in a delay of service due to the high traffic volume. We ask for your patience and that you return to eBay soon. In the meantime, please be assured that no activity can occur on your account until your password is reset.

Re:

[Osiris Ani]

I just went to ebay and logged in, and was surprised to see nothing regarding this on their main page.

“eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords...”

Re:

[TheGratefulNet]

item not as described. password salt was actually pepper!

Re:

[mu51c10rd]

That's what happens when the starting bid on their customer database is $0.99...

Re:

[NapalmV]

Why do these companies repeatedly store only *some* of my personal information encrypted?

Because cowboy attitude. We just had here the story on the EU law about deleting older links to personal data from search engines. Where most US contributors insisted that this data is "facts" and it would be "free speech" to disseminate it as businesses see fit. Combine this with EULA practices where businesses (many in monopoly position) will not service you unless you agree that they collect your personal data and s

Re:

[praxis]

It is awful to steal from millions of users. Users have two options: transact business with a business and entrust their data into the business's protection or shun a business. Let us say that your argument is correct, and it is in the best interest of the working man to transact business with a business and entrust his data into the business's protection because that benefits to business and hence the working man's 401k account. Would it not be reasonable for that working man to then be angry at Ebay for n

Re:

[PseudoCoder]

I present an alternative view: it is unwise for the working man to tie his worth to the worth of those who do not have his interests in mind. It is wiser for the working man to not spend his money on bolstering the economy by buying unnecessary items from companies that do not have his personal wellbeing in mind. It is better for him to live well within his means and not rely on a 401k.

Your alternate view is one I agree with fully. I practice this one myself. Regarding their practices, I also agree putting more responsibility on them for their handling is appropriate, considering all the factors. Point well taken. Thank you.