The spin is atrocious. The big story is not the headline, that users must change passwords.
The big story is that ebay leaked personally identifiable information. Naturally this is buried four paragraphs down.
The database, which was compromised between late February and
early March, included eBay customers’ name, encrypted password,
email address, physical address, phone number and date of birth.
Don't patronize me with empty platitudes like "changing passwords is a best practice".
Tell me to brace for an inevitable wave of phishing and identity attacks.
Tell me that bad guys will try to steal my other online accounts with this information.
Tell me to trust no one because bad guys now look legit with my home address, phone number and DOB.
Pro tip: put the real story in the headline. That's also a "best practice".
Don't forget that it was nearly three months ago. Why weren't users informed immediately?
Do I need to update my PayPal account too? (my email is the same, but both passwords are long and randomised so not too bothered). So now they know my email address and my home address - and my date of birth, always convenient. Oh and as someone pointed out, I have PayPal automatically linked to my eBay account. Great.
Which physical address? My default delivery? My invoice address?
So a quick update from the BBC: "something it only became aware of a fortnight ago"
They only just realised, essentially. Although it's worrying that it took an eCommerce site so long to catch it. And that's still two weeks when eBay knew and nobody else did.
Damn, PayPal updated their password reset UI in the last week, but you can still only enter 20 characters for a site that holds cold hard (electronic) cash. Really guys? If you're really hashing them, why does the length matter? The DB column width doesn't need to change. Want us to submit a patch?
P.S. I wonder if they were expecting a lot of resets, hence the redesign rollout?
So does Discover. When I wouldn't take "just because" for an answer, IIRC the explanation was that it resulted in fewer password reset requests, so I believe your take is correct.
I still get mail from Bank Of America -- where I no longer have an account because their fraud department decided to stop paying my mortgage -- about someone trying to log into my account. About once a week. I could spam filter it but it reminds me not to go back.
In mid february I created a gmail account and only used it to subscribe to Paypal (didn't touch Ebay). The Paypal account is associated to a NY home address.
On March 15th I received at that email address a "New York Lotto" phishing email. That is the only spam I got so far on that email account.
So I would assume that they have at least some Paypal subscribers data, including email and home city (and maybe address).
Ebay claims that 20 characters is the max, but it's a lie - mine is 29.
Likewise, Newegg claims that you have to have special characters, but my password has none.
I'd suggest trying the password you want and seeing if it gets rejected. In a lot of cases, some programmer may have fixed the crazy password scheme and forgotten to update the page text.
Are you sure that your password is actually 29 characters? Try changing some of the last nine characters and see if it will still let you log in; they may just be dropping the last nine silently.
Nope, give them a tiny amount of credit: they're not arbitrarily restricting password length. It's just the instructions that are out-of-date (or just plain incorrect).
I discovered yesterday that Microsoft (yes, Microsoft!) limits their passwords to between 8 and 16 characters. I'm not sure ANYONE really knows how to implement security even half-properly; I really wish OpenID had taken off.
this always gets me, and every time i ask i can't seem to find a direct answer why so many sites have this 20 character limit. bank of america does as well, with the additional restriction that you can't use the following characters: $ < > & ^ ! []. bluecross/blueshield allows up to 30 characters, but only numbers and letters.
if passwords are being hashed, which i guess i would have to believe they are, at least in the BOA case, what's the point of restricting character counts (especially to 20), or choosing random characters to exclude?
Choosing random characters to exclude (or alternately, only permitting a subset of characters) can make the task of validating that you aren't subject to an injection attack easier.
Note that this validation may take the form of validating to someone, shall we say, less than fully competent, or it could be an actual means to protect yourself.
The additional search space from 62^N to 200^N isn't especially worth worrying about, IMO.
http://msdn.microsoft.com/en-us/library/bb355989.aspx (to cite just one way that these things come into being; someone finds that you can do input validation easily, and they do it, maybe because they're overly cautious, maybe because someone they need to convince is overly cautious, maybe some other reason) IMO, this is not an especially terrible "flaw" in a site.
1. Legacy systems. The system that was built 15 years ago might have limited the field for performance or storage reasons and it was never updated. Or maybe the Palm Pilot app only supports 20 characters in a text field and nobody has the source code but there's still a dedicated bunch of 200 users who do $50,000 in sales every year and nobody wants to piss them off. Or maybe they're just afraid the monster has gotten too big and they don't know what'll break if they change anything. Better to play it conservative so you're not the person who shut a group of users out of the system.
2. Just because. True story: I was working on an internal app for a company years back and I asked my manager if there were any particular password restrictions we needed to honor, any kind of company policies or weird accessibility concerns or something [1]. So what does he do? He emails the marketing stakeholder and asks her what the password rules should be. She doesn't know anything about security, so she concocts something completely arbitrary based on stuff she's seen on other sites. 6-10 characters, at least one number & one symbol, etc. And those were the requirements I had to implement, because that's what the stakeholder wants, even though that was the answer to completely the wrong question.
> if passwords are being hashed, which i guess i would have to believe they are
I wouldn't assume that. Think about a bank where you have call center staff who know a certain customer by name because he calls every Thursday saying he can't remember which of his grandkids' names he used as a password and could you please tell him because the rent is due Monday and he needs to transfer money from savings to checking because his Social Security check is late this month. And so on. You know how old guys are with their stories. You're reading one now. The CSR doesn't want to walk him through the steps of resetting his password over the phone…again. The faster he can get him logged in, the sooner he'll go away.
"We need a way to display that guy's password to a CSR," the head of the department tells the CEO over golf, knowing if he gets the department's average call time under two minutes he gets an extra $100,000 this year. So, the edict comes down from the highest levels of the company that the passwords have to be encrypted & reversible instead of hashed.
Now, this story is completely fictitious, but I've been in similar situations where the all-important call-center & support metrics trumped security. It happens. It shouldn't, but it happens.
Legacy systems. There's almost certainly some ancient backend system that deals with passwords, and can't handle long passwords or certain special characters. I would not assume that bank passwords are being hashed properly.
Isn't there a law in California that requires data breach disclosure? Is there a time frame in that law? Three months is way to long and I am sure criminals will use what they get as soon as possible.
Not directly -- I don't think I've ever seen a (U.S.) credit card application which didn't also want your social security number. That said, it's a pretty good start.
my thoughts exactly - this is a terribly spun statement by eBay. My personal data has now been leaked to unknown parties and they make light of it by droning on about "best practice" and passwords.
Oh Gosh! The oversimplification is mind boggling. Being an ecommerce and payments website they should have been very clear about the impact this breach has on our privacy. Angry.
>Don't patronize me with empty platitudes like "changing passwords is a best practice".
Made me retch too. Pardon me, but how did your security snafu get to be about telling me what I ought to do? Some sort of amateur reverse psychology? A Jedi mind-trick? Kind of implies that we somehow have responsibility for it too. "Yes, yes, we allowed this to happen, but if you'd only make yourself aware of best practices, you wouldn't have anything to worry about."
Very condescending. Just tell me what I need to do to mitigate your screw up. Skip the security lesson and misdirection.
I also don't see an apology, but merely "regrets". I'm guessing their legal department weighed in on this one, but that omission, along with the spin, and the whole picture just reads like a big CYA and a "screw you!" to customers.
> The company also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.
Ebay being hacked kind of scares the hell out of me because PayPal has my checking account information with direct access to withdraw funds. A hacker could rob me blind. Like seriously the owner of PayPal should not be telling me this "we have no evidence of" bullshit because there's no alternative to PayPal that online stores actually use and changing your checking account number and routing number is very very painful. You have to get new checks, you lose checking history. Fuck.
I know it's not always practical for everyone, so I can't give it as general advice, but this kind of situation is exactly why I isolate my "real" checking account. My primary account (the one to which my paychecks are deposited) doesn't have a debit card, and I never use the account number. I have a different account that I use for online services like PayPal, and for recurring charges online that require a credit/debit card, which I transfer money into on demand.
It's extra work for me, but it's also less risk. Unless somebody gains access to my online banking account, they're not going to be able to access my primary funds account.
I have one checking account that my paycheck goes into, and I pay monthly/yearly recurring bills out of this account. There is nothing online for this account, the only way money gets out is that I get my bank to send somebody a check.
I set up a weekly auto-transfer to a separate account which my wife and I carry around debit cards for. This is for groceries, gas, and personal shopping stuff, including online.
Also, the primary reason was to help us balance our budget. I've tried software to do it, but:
a) My wife isn't into tech as much as I am and has a much lower threshold for acceptable complexity
b) More importantly, any software that I found had a large maintenance burden. Having her ask "do we have enough to go to dinner tonight?" requires me to have the books up-to-date almost on a daily basis. Too much work.
Now, the question of how much do we have to spend for specific activities has a very simple answer: how much is in the "spending" bank account, and it's easy to prorate that over a week's time.
A previous attempt at this was over a month's time frame, but that's too long of a time span. It's easy to overspend earlier in the month and fail to mentally take into account bigger things near the end of the month.
I also tried being "squishy" with the amount, moving it around depending on how much we overspent for the previous week (e.g., put something on our credit card because we actually needed to). This also doesn't work out too well, because it impairs predictability, even if it balances the books better. Plus, I want to get us off the mindset of using the credit card when we overspend a week. I was, frankly, being a tightwad with the weekly amounts and loosened it up a little to give us a bit more buffer.
Setting a weekly fixed amount made our money conversations easier. I'm still undoing financial damage from earlier (paying off credit card debt and building up savings for yearly bills), but this is an abstraction my wife doesn't need to worry about (she knows about it but doesn't need to deal with it).
This was all tangential to protecting yourself from badness, but it was a nice side effect.
Are your accounts with two separate banks? Last time I tried to open another account with a separate bank, I got denied because I opened an account within the past year.
Make sure that second account has a flag that says it can not be overdrawn under any circumstances.
Banks are not always as smart as they should be and sometimes allow an account of a customer 'in good standing' or with a credit balance on another account to be overdrawn. Especially when it is done via direct debit.
For those of us who don't have this setup, suppose this kind of breach does occur and money is taken from a checking account. Is this covered by the bank somehow? Can that money be returned?
I've had my debit card used at least half a dozen time by thieves (they must skim the magnetic information off it at gas stations or something), including a thousand dollar charge at an ATM while I was abroad.
In every case Chase refunded me in full within a few days. This isn't something every bank does?
In the US, consumer level accounts are protected against unauthorized withdrawals. (The bottleneck for the crooks is finding a sucker who will change a reversible transaction into an irreversible transaction.)
It might take you some time to get it back, but the bank is legally required to get it back to you.
For business accounts this protection does not apply.
Okay, so let's imagine for a moment that the "secure, encrypted" database of card numbers has also been compromised. The attacker would have the plaintext name and address, and an encrypted 16 digit number, with an entropy of at most 53 bits - maybe 66 bits if the expiry date is included. That's before you take card number check digits and geographically-likely prefix codes into account, which will reduce the entropy. (Edit: yes, they wouldn't store the CVV). And don't get me started on showing the user the last four digits of the card number. It wouldn't take much effort in this day and age for the attacker to try all possible card numbers, and then they have name, address, and card number. Game over, man.
Wouldn't it be possible for them instead to store a token generated from the card number and Ebay/Paypal's incoming bank account number, which can only be used for paying into that particular account?
But what does it matter if they figure out your card number? You're not liable for fraudulent transactions. It's pretty easy to get a new card number. Your issuer takes a hit, but whatever, not my problem.
Checking account info is much, much worse. It's much harder to reverse fraudulent transactions there, and much harder to get a new number.
It really shouldn't be. I had a card compromised in the Target breach and they sent me a new one without my intervention. I've had fraudulent charges made before, and it's been trivial to get it fixed.
I've never had a checking account compromise, but I'm pretty sure it would be a massive pain in the ass by comparison.
The Target compromise wasn't a minor pain for everyone. A friend's bank reissued her credit card. Which caused a payment she had made to Time Warner fail. She was also in the middle of moving, which caused even more headache and a potential hit on her credit for late payment, because apparently Time Warner doesn't even attempt to notify you if your payment fails.
I'd put the blame entirely on Time Warner for that one. The Target breach is entirely incidental to the store. The same thing would have happened if the card had expired naturally, or been closed for other reasons.
Mentioned above, but relevant here too. I've had my debit card compromised several times, and it was still trivial - one phone call and was refunded in a few days.
Debit cards mostly give you the same protections as credit cards. They're worse in that the money comes out of your account immediately (but is supposed to be returned when you report fraud), and the rules are different and less favorable if your PIN is also compromised, but overall it's not too bad.
A compromise of your routing and account number for your checking account is potentially much worse. It's harder to take advantage of, but it's also much harder to fix.
(I'm not sure if you were treating the debit card as analogous to credit cards or account numbers, so treat this as confirmation/correction/elaboration/whatever as appropriate.)
Did the bank charge you for the replacement cards? Is there any real reason not to just regularly - say every 3 months - request a new card for peace of mind?
They did not. That stuff is basically a loss leader for them.
From what I recall with the Target incident, their cost is something like $2-5 for each replacement card, so it's not entirely trivial. If you requested a new one on a regular basis for no good reason, they might put a stop to it one way or another.
As far as peace of mind goes, since the consequences are so mild, I wouldn't worry about it.
Thanks for reminding about this. I was using a separate checking account just for Paypal. Until they "restricted" my PP account. Since I've stopped using PayPal now I keep some money on that checking account. Went to update my profile...
1. You cannot remove a primary credit card from your profile. There is only one option "Edit" where you can change expiration date and Billing Address. Entering incorrect expiration date does not work. It only allowed me to change billing address.
2. Removing checking account is not confirmed. Once I've clicked "Remove" button I was redirected to login screen. Now when I try to access my bank account I am signed out and redirected to login.
I hate calling them, but looks like that's my only option.
Not practical when you want to pull money out, but I only have paypal hooked up to my CC. This very reason is why I never hooked it up to my bank account. When I do get people who paypal me money, which is not often, I just use the money to load my sbux card or something.
Obviously this is harder to do if you are a merchant who takes large amounts of money through paypal. In those cases though the merchant should have already segmented the paypal hooked bank account from the primary business account. If you are a merchant and have not done this, now is a good time.
"The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information."
…So, just my entire identity then? eBay really seem to be down-playing the severity of this.
You have to remember that eBay is an ancient tech company run by the old MBA types that didn't really understand what value to place on engineering.
All their internal systems are maintained by vendors, VARs, and contractors.
So weird stuff like the ebayinc.com domain is to be expected. As is this hack. Also it'd be interesting to know how it was detected, and how the extent of access was determined. But if my prediction is correct, we will never see a truly open blog post about it. First, because it's not clear to me that eBay "infosec" is up to the task. Second, because eBay believes more in compartmentalization, secrecy, misdirection etc. than 'openness'.
Take a look at ebay's Account Management interface. Remember what it was like to use the web 15 years ago. Bear in mind that ebay owns PayPal which has quite possibly the worst api I've ever used, along with an interface that is even worse than ebay's. Wonder what the hell this company is doing other than lying back and counting the dollars.
If it wasn't for a tiny amount of 'reputation' which might make others more willing to deal with me, I'd close my ebay account right now.
Week 1: "We have no reason to believe that any confidential information has been compromised."
Week 2: "We have observed some limited and negligible instances of credit card information being compromised that coincidentally happened to be linked to eBay accounts. We consider this purely coincidental and feel it is no cause for concern."
Has anyone received an email from eBay about this? I'm guessing that the phishers are going to be faster at getting out fake change password emails than eBay themselves.
Doesn't that make it the perfect question? For someone to answer the question correctly, they have to demonstrate that they don't even need to do so, because they already know the thing you wanted to protect?
No, that doesn't work: if you really think that is a good argument, then everyone is also a fool for believing "enter your password here to log in"; remember that you are answering a password reset challenge question at the same site you would normally enter your password.
Credit card numbers should be way down on your list of info to protect. They're easy to change and the consequences of a compromise are small (you're not liable for any fraudulent transactions as long as you're paying the least bit attention). Worry about your checking account number and other info, but not your card numbers.
I suppose I could. I was going for the "Tropic Thunder" line. But really, political correctness? Has anyone ever called an actually mentally handicapped person "retarded" in the past thirty years?
The point isn't to just not call a 'mentally handicapped' person by a slur. It's to prevent the stereotyping of a whole class of people by comparing them to someone doing something wrong or unintelligent. In "Paypal went full retard", what you're really saying is that Paypal did something that is so wrong that only a mentally challenged person would do that, which promotes a stereotype that mentally challenged people do bad things.
By the way, the euphemism treadmill of this subject has proceeded to the point where "mentally handicapped" and "mentally challenged" are also now politically-incorrect. The preferred term is now "intellectually disabled" or "learning disabled" (which to me is far more insulting than "mentally retarded", from a literal perspective, but less evasive than "developmentally delayed").
I got that you were going for a "Tropic Thunder" ref, but it doesn't fit. It sounds like you're saying ebay is stupid, but the TT is satirizing actors pretending to be stupid. And, TT gets away with the bit because it pushes PC-ness further towards not shitting on mentally disabled folks. Mayhaps it should, but slang use of the word "retarded" doesn't automatically offend me. I just don't think your use worked.
Thats on;y the case if you do the password reset when you are already logged into your account. Its another layer to prevent people changing your password on a shared computer if you stepped away for example. Doesn't happen if you are not logged in
When I tried to change my password to a twenty character pass phrase, I wasn't allowed because it was "too weak". Adding a single digit made it "strong." I am not particularly comforted by this.
>Cyberattackers compromised a small number of employee log-in credentials
This bothers me. No one cares how many employee logins were stolen. It only takes one to cause a huge amount of damage. Is anyone reading this thinking "oh, it's okay, they didn't take too many employee logins"?
The whole press release is hilariously downplayed. This is very much a "hair on fire" moment for them, but the way they wrote this is so very casual.
They focus on relatively unimportant aspects of what happened and leave the big stuff as an afterthought. It's like an airline captain announcing, "Due to mechanical problems, we will be late getting into New York. For those of you on connecting flights, we will re-book you on later flights at no charge, ensure that your luggage travels with you. I apologize for the inconvenience. Also, all the engines are on fire and we're probably all going to die."
It seems that they think their best way forward is if most of their users don't grasp the significance of what happened.
> No one cares how many employee logins were stolen.
Well that's not entirely true. First off, it indicates that the breach was relatively contained. Or at least EBay want's you to think that.
The smaller the number the less chance there is that the credentials were to more privileged employees. Not every employee is created the same. Not every employee has access to account data and not every employee could send customers corporate communications.
Now yes, the who they got is important over the how many, but the how many can be stated without giving too much away.
Even still, if the number of Unix admins at eBay was only 0.001% of the total number of employees, the fact that 100% of their Unix admins had their accounts compromised means that, yes, a small number of employees had their accounts breached but it would still result in 100% of their user accounts being breached.
This is headline top-story news on the BBC right now therefore it must be 'big'. Yet no evidence of anyone making unauthorised access.
We have had a resurgence of 'Snowden' stories in the last few days, so here is a hypothetical scenario: what does a company do if the hackers turn out to be NSA/GCHQ? It is unlikely that they would drop an email to explain that they had just stolen the whole customer database because of some 'al-qaeda' based reasoning, so you would not know it was them. If you suspected it was them then people would wonder if you had taken your meds. If you got the FBI involved then they would tell you it was some script kiddies rather than the Peeping-Tom-Brigade.
Or, if you did know it was the NSA, then you might think that information was safe in their hands and not feel the need to tell the customers.
I look forward to when we get stories where the NSA are explicitly blamed for a data breach instead of some random Chinese hacker, and that emails are sent out saying 'we have been hacked by the NSA again, can you change your passwords please?'. If the NSA crawled out of the darkness to deny the breach then nobody would believe them.
You can paste in PayPal passwords on the password reset tool this week, but it's a new tool from last week when I last reset it. Wonder what made them update it?
I tried this around an hour ago and can't paste, it's being explicitly blocked.
Perhaps my region (UK) still uses the old password change page? For clarification, I'm using the change password function once logged in and not doing a forgotten password reset.
Ah. I don't see that. I see the new front screen (with large HTML5 video background) but when I log in I've got a rather dated interface http://imgur.com/KVSREgH
This doesn't let me paste, giving the aforementioned tip that I should copy/paste.
You're right. It seems to be working now. When I first tried, I could paste into any field but the change password fields.
However on PayPal, when pasting I received a little tooltip-style popup saying something along the lines of "Please do not copy and paste passwords.", followed by their password criteria.
Pasting into other fields (including the login page password field) worked perfectly fine.
Ugh, companies misunderstanding password security is so infuriating. Yes, let me use my memorable 8 character password instead of my fully randomized 30 character password protected by a strong password I use only for that, and a keyfile I have stored on my computer. I feel so much more secure now that I'm using weaker passwords.
Took a trip back to 2002 and visited the Account Settings / Personal Information screen to change my password. No alerts or redirects on login to change credentials. (But evidently an exciting "deal frenzy" is important enough to highlight in all caps and red text in the nav bar). Ok, so the PayPal DB wasn't affected, but does that matter? PayPal account is fully linked up there.
So I logged into eBay for the first time in over a year to change my password, and noticed that eBay edited my reply to a buyer's feedback.
Has anyone else heard about eBay doing this? I have no way to edit it back to the way it was from what I can tell. It's infuriating -- they changed the word "Buyer" to "Seller" to make it sound like my reply to feedback was referring to myself.
Being that important auxiliary details were compromised (name, phone, etc...). Beginning to think that encrypting that information should be more standard. Obviously this leads to trouble if searching by that information is required....
It's call PII, Personally Identifiable Information. In many industries, there are indeed strict requirements for protecting it... just not at Ebay, who, for it's age, probably predates any such standard practices.
It certainly deletes the public-facings parts you can verify.
However note that they claim it will take up to 180 days to delete your account. (I went through this last year, getting sufficiently annoyed to close both Ebay & Paypal accounts.)
Exactly. It seems like business oriented press releases often say passwords are "encrypted" when they really mean hashed (if you're lucky). So we can't really tell from this.
I'm assuming they meant hashed rather than encrypted. If they were actually encrypted, then it's strange that they didn't say whether the key to decrypt them was also stolen.
Oh, so this explains the spam! I use a different email address for each site, and spam for ebay@[mydomain] became noticeable about two months ago. I should really pay more attention to these signs.
It shouldn't matter at all - the hashing should be done on the client so they wouldn't need to worry about server resources, and all output from a given has function is the same size. Some hash functions may have upper limits, but I doubt it. Ever md5 a multi-GB iso you downloaded from the Internet to verify its integrity? It's the same thing.
The text on the page says that, but I had no problem using a 29 character password. I was upgrading from one with 23 characters though, maybe they grandfathered me in?
The big story is that ebay leaked personally identifiable information. Naturally this is buried four paragraphs down.
Don't patronize me with empty platitudes like "changing passwords is a best practice".Tell me to brace for an inevitable wave of phishing and identity attacks.
Tell me that bad guys will try to steal my other online accounts with this information.
Tell me to trust no one because bad guys now look legit with my home address, phone number and DOB.
Pro tip: put the real story in the headline. That's also a "best practice".