News - eBay hackers access 145 million records but PayPal isn't exposed

[HEXUS]

Auction giant asks all customers to change their passwords.

Read more.

[amjedm]

Yes, changed password yesterday.

They were for some reason unable to email the users and ask them to change - they can email quickly about free listings or other offers but not in this instance...

[davesom555]

I didn't get emailed or messaged either... perhaps unaffected? Regardless, I changed my password.

[crossy]

A large part of a 145 million user record database was snatched from eBay's servers in the huge data breach.

Does this mean that the title of this article is a wee bitty misleading?

Also, if a "large part" of this vast store of data was grabbed, then why did it take eejit-bay this long to find out?

I'd change my password now, but there's been reports that the eBay servers are having problems coping with the load. Apart from anything, it's long overdue that I did anyway. Ooops!

EDIT: just tried to change my password - not that straightforward, because when I eventually found the correct place (obvious when you think about it), the password checker decided that one, or more, of "^}>" were whitespace and it wasn't going to allow it. Also be interested to know what it thinks is a strong password. I tried a 12 character one with upper- and lower-case plus numbers and symbols (no dictionary words) and got told that this was only "medium" strength.

[DemonHighwayman]

Just changed mine today, although I think there servers are feeling the strain of all these password changes as it took five tries for mine to go through.
I'm so glad ebay came forward when it happened ! it really puts ones mind at rest knowing we can trust them. And i'm certain they haven't "just discovered the breach" because there was talk about this having happened already about a month and a half ago ! And I was affected at the time, not being able to log in etc.

[McEwin]

Why wasn't my name, address and telephone number encrypted? These companies need to be hauled over the coals. Surely any personal information should be encrypted by default. I know it's not a guarantee but hopefully it would take longer enough that the information would no longer be valuable... I spend my life keeping myself hidden and secure online only to have my details lost by someone else's unscrupulous practices. Frustrating.

[Rad77]

... Also be interested to know what it thinks is a strong password. I tried a 12 character one with upper- and lower-case plus numbers and symbols (no dictionary words) and got told that this was only "medium" strength.

Yes, same here - a random generated mixed character password at 12 chars was rated a mere 'medium'. Very glad (thanks to Lastpass) that I don't have to memorise it or type it in!

[Jowsey]

Why wasn't my name, address and telephone number encrypted? These companies need to be hauled over the coals. Surely any personal information should be encrypted by default. I know it's not a guarantee but hopefully it would take longer enough that the information would no longer be valuable... I spend my life keeping myself hidden and secure online only to have my details lost by someone else's unscrupulous practices. Frustrating.

Here here!

Thankfully I don't use Ebay, but the scale of time is just ridiculous. 3 Months?!

[j.o.s.h.1408]

Changed my passwordtoo but boy is the ui appaling

[Saracen]

Why wasn't my name, address and telephone number encrypted? These companies need to be hauled over the coals. Surely any personal information should be encrypted by default. I know it's not a guarantee but hopefully it would take longer enough that the information would no longer be valuable... I spend my life keeping myself hidden and secure online only to have my details lost by someone else's unscrupulous practices. Frustrating.

Maybe it was?

As I understand it, this 'hack' was more a case of getting actual passwords of legit staff than a technical hack. I.e. more social engineering than code level. And if so, presumably, at some level, systems people can perform functions through encryption because they're authorised.

It's interesting that, at least as far as I've seen, ebay have been pretty coy about explaining exactly HOW this 'hack' was done.

I just hope it's not as stupid as leaving a laptop on a train/cab containing loads of unencrypted intelligence service data, or posting most of the tax service database through the mail and using the damn discs. 'Cos, after all, that could never happen, could it.

This is, by the way, one reason why I keep absolutely every jot of information I can private, and out of commercial hands and off of databases.

I wish anyone that uses the phone number ebay had for me the very best of luck with it. I seem to remember giving them the switchboard number for the information commissioner's office? Or was it Scotland Yard's Fraud team? Or maybe it was the Sun's Newsdesk number? Or may Inquiries at MI-5? Or the FBI number at the London US embassy?