Ebay Hacked!

[Mardi13]

I never got a "change your password" message, but that may be because I changed it right away (which was a rare thing for me to do, I hate trying to remember all the damned things.) I know some folks who change theirs three times a year or even more.

 

The raw fact is that once you start doing any kind of business on the interwebz (or in person for that matter, see Target) you are giving out information, and that inevitably carries some risk. All one can do is try to minimize it. Ideally the websites and businesses would have better protections, but everyone knows criminals are often more clever and creative than law abiders. As individuals we have to assume some responsibility for our security, or live in a cash-only society. And even then, banks get robbed!

[KBeezie]

I never got a "change your password" message, but that may be because I changed it right away (which was a rare thing for me to do, I hate trying to remember all the damned things.) I know some folks who change theirs three times a year or even more.

 

The raw fact is that once you start doing any kind of business on the interwebz (or in person for that matter, see Target) you are giving out information, and that inevitably carries some risk. All one can do is try to minimize it. Ideally the websites and businesses would have better protections, but everyone knows criminals are often more clever and creative than law abiders. As individuals we have to assume some responsibility for our security, or live in a cash-only society. And even then, banks get robbed!

 

I haven't changed it, but I still haven't gotten any notification logging in or otherwise to change it, and thus far the people who are being asked to changed seem to be non-American accounts.

[colrehogan]

I heard about this on the Weather Channel this morning. Changed my password this morning too.

[cleosmama]

They urge new passwords, yet I never got an email notification from ebay, nor a notification when I went to visit my profile. Not very heavy on the urging.

 

I wonder if the leak also includes paypal information?

I heard about it yesterday on NPR.

 

I will tell you that last month someone created a fake Bill Me Later account using only partial information, and they bought something like $160.00 worth of goods from ebay. Bill Me Later says they can see where the people were trying different combinations of birthday and ssn numbers (last four digits is all Bill Me Later and Ebay use) until they were successful.

 

I don't know if this was in connection with the ebay hacking, but now I suspect it was.

[KBeezie]

I heard about it yesterday on NPR.

 

I will tell you that last month someone created a fake Bill Me Later account using only partial information, and they bought something like $160.00 worth of goods from ebay. Bill Me Later says they can see where the people were trying different combinations of birthday and ssn numbers (last four digits is all Bill Me Later and Ebay use) until they were successful.

 

I don't know if this was in connection with the ebay hacking, but now I suspect it was.

 

You would think there would have been some kind of security measure that would not allow so many corrections/attempts.

[Komitadjie]

 

And I agree, though I have come across some companies that actually make it difficult to come up with a good password. Huntington Bank for example doesn't allow for any special characters, it's strictly alphanumeric (only letters or numbers), when just a simple symbol would increase password strength significantly in terms of possible combinations, especially for passwords above 6 digits.

 

It really can be a pain sometimes to get a strong password! I went a number of years ago to using a password vault program that I carry with me on a USB key on my key ring (and keep backups of offsite, of course). The particular program I use has a generation system for random (or at least as random as you can get with a computer program) passwords of any length you desire, using specified character sets, cases, etc.

 

I have my passwords divided into two categories. For forums and minor-importance stuff, I use passwords I memorize and don't change all that often. For anything with personal data or financial connection, I use a password of max or near-max length permitted by the site, with as many of the random permuters turned on in the program as I can. And those I change every month or so. It's effectively no effort at all with a password vault, so why not? Gives me a better chance of not leaving someone a stored password to use out of a browser cache, too. I figure that no password is EVERY entirely secure from a crack, but I want mine to be in that last .1% that the hacker is banging his head on his keyboard trying to get the program to hash out.

Edited May 22, 2014 by Komitadjie

[KBeezie]

 

It really can be a pain sometimes to get a strong password! I went a number of years ago to using a password vault program that I carry with me on a USB key on my key ring (and keep backups of offsite, of course). The particular program I use has a generation system for random (or at least as random as you can get with a computer program) passwords of any length you desire, using specified character sets, cases, etc.

 

I have my passwords divided into two categories. For forums and minor-importance stuff, I use passwords I memorize and don't change all that often. For anything with personal data or financial connection, I use a password of max or near-max length permitted by the site, with as many of the random permuters turned on in the program as I can. And those I change every month or so. It's effectively no effort at all with a password vault, so why not? Gives me a better chance of not leaving someone a stored password to use out of a browser cache, too. I figure that no password is EVERY entirely secure from a crack, but I want mine to be in that last .1% that the hacker is banging his head on his keyboard trying to get the program to hash out.

 

I like 1Password for that.

[Komitadjie]

Eh, I go a BIT farther than that, but not a whole lot, usually. Just enough to be fairly random, and avoid the top-thousand passwords list.

[KBeezie]

Eh, I go a BIT farther than that, but not a whole lot, usually. Just enough to be fairly random, and avoid the top-thousand passwords list.

 

1Password is a program for storing/managing multiple passwords, you have 1 master password to unlock that safe and does the auto-fills for you, also available in an Android/iOS app. My master password is over 24 digits long and contains more than just letters and numbers.

[Komitadjie]

Ahh, ok, that makes more sense, I parsed that one badly!

 

I use KeePass myself, with a combination password-keyfile setup. Easy to use, and robust as hell.

[theverdictis]

Yeah but they didn't bother to announce it months ago. Harrumph.

Too true.

[KBeezie]

Just today I got the password update 'banner' on the site itself, but not via email. Went ahead and did it, wasn't too bad as long as you remembered to keep your email and/or phone up to date in your profile. Took the opportunity to make it even stronger.

[Ghost Plane]

Email wandered in today. I am underwhelmed.

[penbrute]

I read the news a couple days ago, but like most of you, still haven't heard anything from thebay.

 

But what's the point of changing the ebay password anyway? The hackers have already stolen all personal info (name, address, DOB). What are they gonna do by cracking the passwords? Bid high on a bunch of solid gold pens? And then what? Ebay is only good for bidding, not paying.

 

Or am I missing something? Am I taking this too lightly (still haven't changed the pwd)? (If I missed a post that explains this, sorry).

Edited May 25, 2014 by penbrute

[KBeezie]

I read the news a couple days ago, but like most of you, still haven't heard anything from thebay.

 

But what's the point of changing the ebay password anyway? The hackers have already stolen all personal info (name, address, DOB). What are they gonna do by cracking the passwords? Bid high on a bunch of solid gold pens? And then what? Ebay is only good for bidding, not paying.

 

Or am I missing something? Am I taking this too lightly (still haven't changed the pwd)? (If I missed a post that explains this, sorry).

 

Well there are probably other ways for them to use such information like apply for bill-me-later using your ebay credentials to guy something.

 

But also there are quite a few people who use one password for most of their online services and where one may be compromised, hackers may attempt to use that information to log into other services (like your paypal account, bank that may be tied to your info for paying your fees, etc).

 

I usually do change it anyways because eBay/Paypal can be a pain in the butt sometimes, and knowing them, if you didn't change it for quite some time their system automatically red flags your account for review for whatever reason and then they take the opportunity to harass you about getting more information like your personal social security number, which can get pretty ugly if you refuse to give them that (they don't need it, especially if you already gave them an EIN which the IRS has on file, and I don't trust paypal employees with *that* much information).