The spin is atrocious. The big story is not the headline, that users must change passwords.<p>The big story is that ebay leaked personally identifiable information. Naturally this is buried four paragraphs down.<p><pre><code> The database, which was compromised between late February and
early March, included eBay customers’ name, encrypted password,
email address, physical address, phone number and date of birth.
</code></pre>
Don't patronize me with empty platitudes like "changing passwords is a best practice".<p>Tell me to brace for an inevitable wave of phishing and identity attacks.<p>Tell me that bad guys will try to steal my other online accounts with this information.<p>Tell me to trust no one because bad guys now look legit with my home address, phone number and DOB.<p>Pro tip: put the real story in the headline. That's also a "best practice".
> The company also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.<p>Ebay being hacked kind of scares the hell out of me because PayPal has my checking account information with direct access to withdraw funds. A hacker could rob me blind. Like seriously the owner of PayPal should not be telling me this "we have no evidence of" bullshit because there's no alternative to PayPal that online stores actually use and changing your checking account number and routing number is very very painful. You have to get new checks, you lose checking history. Fuck.
"The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information."<p>…So, just my entire identity then? eBay really seem to be down-playing the severity of this.
Week 1: "We have no reason to believe that any confidential information has been compromised."<p>Week 2: "We have observed some limited and negligible instances of credit card information being compromised that coincidentally happened to be linked to eBay accounts. We consider this purely coincidental and feel it is no cause for concern."<p>Week 3: "Oh god they took everything."
Has anyone received an email from eBay about this? I'm guessing that the phishers are going to be faster at getting out fake change password emails than eBay themselves.
Since PayPal == eBay, I just went to change my PayPal password as well.<p>PayPal went full retard. The security confirmation question?<p>Please supply your full credit card number ending in ####.<p>Um, that's the information I'm trying to protect in the first place.<p>edit: sorry about the "full retard" - trying to quote from Tropic Thunder/RDJ. did not mean to offend
>Cyberattackers compromised a small number of employee log-in credentials<p>This bothers me. No one cares how many employee logins were stolen. It only takes one to cause a huge amount of damage. Is anyone reading this thinking "oh, it's okay, they didn't take too many employee logins"?
This is headline top-story news on the BBC right now therefore it must be 'big'. Yet no evidence of anyone making unauthorised access.<p>We have had a resurgence of 'Snowden' stories in the last few days, so here is a hypothetical scenario: what does a company do if the hackers turn out to be NSA/GCHQ? It is unlikely that they would drop an email to explain that they had just stolen the whole customer database because of some 'al-qaeda' based reasoning, so you would not know it was them. If you suspected it was them then people would wonder if you had taken your meds. If you got the FBI involved then they would tell you it was some script kiddies rather than the Peeping-Tom-Brigade.<p>Or, if you did know it was the NSA, then you might think that information was safe in their hands and not feel the need to tell the customers.<p>I look forward to when we get stories where the NSA are explicitly blamed for a data breach instead of some random Chinese hacker, and that emails are sent out saying 'we have been hacked by the NSA again, can you change your passwords please?'. If the NSA crawled out of the darkness to deny the breach then nobody would believe them.
And neither eBay nor PayPal allow me to paste a secure password from KeePassX. <i>sigh</i><p>Edit: I can now paste on eBay (not sure what went wrong the first time) but PayPal is still actively preventing pasting a new password.
Considering the situation, its either poor timing or related but I can't change my PayPal password. Get a blank page.<p>Not confident.<p>To be honest it takes the piss as they are spamming UK TV with adverts for how secure PayPal is at the moment.<p>Really wish I never signed up but eBay has a monopoly on the payment types now.
But don't use DuckDuckGo's password generator.
<a href="http://www.sami-lehtinen.net/blog/random-passwords-using-duckduckgo" rel="nofollow">http://www.sami-lehtinen.net/blog/random-passwords-using-duc...</a>
Unfortunately, attempting to reset one's password results in:<p>> Sorry. We're currently experiencing technical difficulties and are unable to complete the process at this time.<p>Swamped already?
Took a trip back to 2002 and visited the Account Settings / Personal Information screen to change my password. No alerts or redirects on login to change credentials. (But evidently an exciting "deal frenzy" is important enough to highlight in all caps and red text in the nav bar). Ok, so the PayPal DB wasn't affected, but does that matter? PayPal account is fully linked up there.
So I logged into eBay for the first time in over a year to change my password, and noticed that eBay edited my reply to a buyer's feedback.<p>Has anyone else heard about eBay doing this? I have no way to edit it back to the way it was from what I can tell. It's infuriating -- they changed the word "Buyer" to "Seller" to make it sound like my reply to feedback was referring to myself.
Remember a couple of months ago when Icahn described eBay as the worst-run company he'd ever seen? [1]<p>Seems rather prescient now. Their incompetence has just cost us all our personal information.<p>[1] <a href="http://www.cnbc.com/id/101467290" rel="nofollow">http://www.cnbc.com/id/101467290</a>
Being that important auxiliary details were compromised (name, phone, etc...). Beginning to think that encrypting that information should be more standard. Obviously this leads to trouble if searching by that information is required....
Oh, so this explains the spam! I use a different email address for each site, and spam for ebay@[mydomain] became noticeable about two months ago. I should really pay more attention to these signs.
I'm getting tired of sites that limit password length. Microsoft limits you to 16 characters.<p>Storage is cheap and you shouldn't be skimping on the most sensitive field in your dataset.
eBay's password character limit is 20 characters. I use a password manager and detest sites that limit your password length to < 100 characters.