Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@. Skimlinks & other affiliated links are turned on

Search
  • FIRST POST
    • Former MSE Helen
    • By Former MSE Helen 21st May 14, 3:28 PM
    • 2,324Posts
    • 971Thanks
    Former MSE Helen
    MSE News: eBay cyber-attack: Change your passwords, auction site warns users
    • #1
    • 21st May 14, 3:28 PM
    MSE News: eBay cyber-attack: Change your passwords, auction site warns users 21st May 14 at 3:28 PM
    eBay is urging customers to change their passwords after information including names and phone numbers were accessed ...

    Read the full story:

    eBay cyber-attack: Change your passwords, auction site warns users




    Click reply below to discuss. If you haven’t already, join the forum to reply. If you aren’t sure how it all works, read our New to Forum? Intro Guide.

Page 1
    • miss_miggins
    • By miss_miggins 21st May 14, 5:44 PM
    • 177 Posts
    • 1,220 Thanks
    miss_miggins
    • #2
    • 21st May 14, 5:44 PM
    • #2
    • 21st May 14, 5:44 PM
    I have heard nothing directly from ebay. I phoned them this afternoon and the customer service staff knew nothing about it. Nothing in my message centre either.
    • steveE2
    • By steveE2 21st May 14, 6:32 PM
    • 1,202 Posts
    • 1,131 Thanks
    steveE2
    • #3
    • 21st May 14, 6:32 PM
    • #3
    • 21st May 14, 6:32 PM
    miss_miggins
    http://www2.ebay.com/aw/uk/201405211741492.html
    • barmonkey
    • By barmonkey 21st May 14, 7:00 PM
    • 6,827 Posts
    • 15,968 Thanks
    barmonkey
    • #4
    • 21st May 14, 7:00 PM
    • #4
    • 21st May 14, 7:00 PM
    You would think that if it was that important it would be all over the front page or they would at least send out an email
    WWSD

    (what would Scooby Doo)
  • VictimOfImpersonation
    • #5
    • 21st May 14, 7:17 PM
    • #5
    • 21st May 14, 7:17 PM
    It seems there is no end to this kind of security lapse - or better, security foul up waiting to happen.

    With so many data theft incidents having affected some of us multiple times, coupled with other kinds of compromise (bent employees creaming off and selling personal data) then it is extremely likely that there are massive shadow databases now in the hands of organised criminals which contain accurate personal data on almost whole populations.

    Yet banks, telecoms companies and others still rely upon full name (not essential), first line of address, postcode, date of birth as security when we call up about anything. In a very large number of cases now, all those pieces of data are compromised completely. So why are we still using them for security purposes?

    The ebay announcement is very mealy-mouthed. It doesn't tell the truth in a very clear way. It obfuscates the truth with vague language.

    An ebay representative can easily correct me but my translation of their vague language is this:

    More than one set of eBay employee login details got into the wrong hands.

    This gave various levels of access to an entire database of real ebay buyer and seller names and addresses and dates of birth behind usernames.

    It also says that encrypted passwords were accessed. It does not make it clear whether the encrypted passwords were therefore decrypted by the infiltrators, or whether they remained encrypted without any likelihood of possible decryption. Nor does it say whether any of the encrypted passwords were PayPal passwords because as we know, eBay encouraged us to make automatic links between our ebay accounts and PayPal accounts.

    Clearly however, those thousands of ebayers who may have used their first name as an ebay password because they thought the user name gave anonymity, now need to change them fast. Yes don't laugh. Whilst the same person might have a strong PayPal account password because they realise it is a form of banking, I have come across many who still use very weak passwords on shopping sites thinking the risk is slight.

    The Information Commissioners Office in the UK needs total reform. It is woefully under-resourced and it needs to be forcing corporates to be much much more secure with our data.

    The daily fraud losses from Impersonation are outrageously high, and the only people that pay in the end is us.
    Last edited by VictimOfImpersonation; 21-05-2014 at 7:20 PM.
    • Pincher
    • By Pincher 21st May 14, 7:35 PM
    • 6,516 Posts
    • 2,491 Thanks
    Pincher
    • #6
    • 21st May 14, 7:35 PM
    • #6
    • 21st May 14, 7:35 PM
    Or is it even more devious?


    Maybe they have embedded key stroke logging software on millions of PCs, and they WANT us to change our passwords.


    The hackers know from previous attempts that the passwords they raided soon become worthless, as the hack is widely publicised, followed by mass change of passwords.


    Now, they feign an attack, which does not even need to succeed, but the new password it generates will now be usable for a long time.
    • marking_bad
    • By marking_bad 21st May 14, 7:51 PM
    • 502 Posts
    • 149 Thanks
    marking_bad
    • #7
    • 21st May 14, 7:51 PM
    • #7
    • 21st May 14, 7:51 PM
    Jack Bauer will sort 'em out.
  • VictimOfImpersonation
    • #8
    • 21st May 14, 8:08 PM
    • #8
    • 21st May 14, 8:08 PM
    Jack Bauer will sort 'em out.
    Originally posted by marking_bad
    Isn't he Chuck Norris' son ? Aren't they both already on eBay? Why yes of course!
    • GingerBob
    • By GingerBob 21st May 14, 8:25 PM
    • 3,612 Posts
    • 1,657 Thanks
    GingerBob
    • #9
    • 21st May 14, 8:25 PM
    • #9
    • 21st May 14, 8:25 PM
    From the point of view of identity theft this should not be much of an issue. At best the hackers will have your name (not full name) and address, together with a false DoB.

    You do all furnish a false DoB to organisations like Ebay, for data protection purposes, don't you?
    • harveybobbles
    • By harveybobbles 21st May 14, 8:33 PM
    • 8,748 Posts
    • 4,019 Thanks
    harveybobbles
    I just got this when I logged into eBay..

    • barmonkey
    • By barmonkey 21st May 14, 9:23 PM
    • 6,827 Posts
    • 15,968 Thanks
    barmonkey
    just logged in as usual, no sign of the above message.
    WWSD

    (what would Scooby Doo)
    • elver man
    • By elver man 21st May 14, 11:04 PM
    • 20,703 Posts
    • 3,674,977 Thanks
    elver man
    I just got this when I logged into eBay..

    Originally posted by harveybobbles

    Yes, I get the same been trying for over 3 hours (on and off) and still not able to edit password. Take months to let on there is a security breech and then they make it nigh impossible to change password.
    Thoughts:

    The surest sign that there is intelligent life in the universe is that they haven't contacted us yet
    Life's most urgent question is: what are you doing for others?
    Life's most urgent question is: What are you doing for others - Martin Luther King jr
    • Jon 01
    • By Jon 01 22nd May 14, 9:02 AM
    • 5,306 Posts
    • 1,752 Thanks
    Jon 01
    Nothing like that when I log in and nothing in messages or any email!
  • VictimOfImpersonation
    Yes what an awful muddle.

    eBay and its customers are like rabbits stuck in headlights in the middle of the road. Doesn't it just show what how delicate this whole corporate sham about cyber-security really is ?

    You have the likes of GingerBob (and a few more of us) telling corporates white-lies about our DoBs and Mother's maiden name to protect ourselves a little from exactly this kind of data theft (I think even we are kidding ourselves), but more importantly you have corporates telling us that they know we ('people') do that so they don't close the shutters when a little bit of inconsistent data is given to them by fraudsters, even when that means they end up with that same inconsistent data then incorporated into the body of their so-called security! Security so easily becomes "lies within lies" and we know what happens when three or more parties start telling each other lies, and know that they are likely to be told lies but essentially ignoring what is said and instead forming opinion based on the view of incoming from their own side - chaos and warzones.

    So into the warzones you get infiltrators , either recruited or just doing their own thing and making contact with baddies, and because corporates employ so many here today gone tomorrow types and give them almost unbridled electronic access to customer data, we are asking for trouble, aren't we?

    An employee may not even join a company like ebay with fraud in mind, but if they get fed up or too poor to resist temptation, they sell a bit of data to make ends meet ! Except its not a bit, is it ? It's bytes - Gigabytes and even Terrabytes in their pocket if they like but probably easier if they get login details and sufficient remote access authority so an associate can then login from a beach in San Franscisco St Petersburg Sri Lanka or Sidney and download stuff at 45Mbps and can in each case pretend to be in an ebay office or at home in Siberia. And if I really wish to physically transport data, who would believe that the 'easy-swap' 8GB MicroSD no bigger than a little finger nail in my six year old mobile phone could hold as much data a 8,000 copies of the Holy Bible, and whilst doing it, it also contains enough standalone TomTom data to navigate me reliably by road and foot all the way between London and a seedy office I was invited to visit above a bagel shop in St Petersburg ?

    Meantime we all get herded this way and that like slightly uneasy sheep by ebay, by the media, by government and even by MSE! Yes not rabbits, for they are the inadequate corporate units caught defenceless. We are the sheep. The shepherds seem to be organised crime as alluded to by Pincher. That's not good.

    It's probably not a coincidence (someone realising it is a good story to post at this moment) but this morning I received a link to an article about how few official resources stand against cyber-crime in the UK: http://www.idgconnect.com/blog-abstract/8297/uk-policing-unfit-purpose-digital-age-former-cop.

    Oh just one thing Bob - you said
    From the point of view of identity theft this should not be much of an issue.
    Remember this to organised crime is simply a numbers game or an intelligence game if you like. Forget the low-level employees who sold their login details or whatever they did, up the chain, organised criminals are not acquiring this data in isolation. They already have heaps of personal data from other sources some good, some bad. Every time they receive some more, they can confirm more and more as good or bad so their intelligence is continually becoming more and more potent. And remember, they are not like government secret intelligence (or at least I hope not!) so they are not choosy about who to attack next - they let their computers tell them which targets are now ripe for picking.
    Last edited by VictimOfImpersonation; 22-05-2014 at 9:52 AM.
    • Ralph-y
    • By Ralph-y 22nd May 14, 9:42 AM
    • 2,977 Posts
    • 3,751 Thanks
    Ralph-y
    so ........
    transcript from Ebay chat:-

    AxxxxWelcome to eBay Live Help, my name is Axxx. How may I be of assistance?

    rxxx
    can you please confirm if UK users need to change user password?
    Axxxx
    Hello Rxxxx. Yes, that's correct, UK users need to change their password. I suugest you cahnge your password now if you haven't done so.
    rxxxx
    can I please ask as to why Ebay have not informed us personaly of this issue?
    Axxxx
    eBay has a responsibility to fully understand the facts which required a full investigation. .As soon as we knew what had happened and determined the best course of action, we acted immediately to disclose. We have seen no spike in fraudulent activity on the site.
    rxxxx
    no, you misunderstand. Why have Ebay not sent out messages to individuals via message or email to notify users of this? receiving information like this from news channels is not the way forward.
    rxxxx
    There is nothing on Ebay log in , or your home page!
    Axxx
    I understand that you have known it first in the news. That is usually the case as it is the nature of news agencies. As of now, we communicated this matter on eBay in the 'Announcement' board. I will also be forwarding your concern on why have eBay not notified members via message or email to the relevant team, so thank you for sharing that with me.
    rxxxx
    sorry to say that you would have received just 1* for communication in feedback!
    Axxxx
    I understand how frustrating this is. Rest assured I have forwarded your concern to the relevant team.
    rxxxx
    thank you

    Ralphy
    • Butterfly Brain
    • By Butterfly Brain 22nd May 14, 10:54 AM
    • 8,736 Posts
    • 61,001 Thanks
    Butterfly Brain
    Why has it taken two weeks for them to notify us?
    Blessed are the cracked for they are the ones that let in the light
    C.R.A.P R.O.L.L.Z. Member #35 Butterfly Brain + OH - Foraging Fixers
    Not Buying it 2015!
    • SamDude
    • By SamDude 22nd May 14, 12:27 PM
    • 230 Posts
    • 73 Thanks
    SamDude
    If we have to change our passwords that were encrypted (and perhaps decrypted) - as our name, address and phone number were not encrypted, do we have to change them as well?
    • RFW
    • By RFW 22nd May 14, 4:08 PM
    • 8,930 Posts
    • 5,150 Thanks
    RFW
    transcript from Ebay chat:-


    Originally posted by Ralph-y
    The modern definition of a masochist, someone who goes on to Live Chat to complain. No one actually cares or will do anything about it.

    Frank Spencer finally got a job he could stick at, crisis management for Ebay. They really have managed to make a bigger mess out of something that they could have easily played down and not for the first time.
    .
    • frank potter
    • By frank potter 22nd May 14, 4:39 PM
    • 136 Posts
    • 110 Thanks
    frank potter
    Not surprised at anything – EBay login details appear to have been hacked for some time due to an XSS scripting vulnerability.
    I understand that this was warned about by the US Dept of Homeland Security in a vulnerability note issued in 2006:
    https://www.kb.cert.org/vuls/id/808921

    I recall mentioning this in post 6 in an earlier thread:
    http://forums.moneysavingexpert.com/showthread.php?t=4892376&

    The Twitter account of user “oneEyedJack5” indicates the extent of the scams and fraud taking place:
    https://twitter.com/OneEyedJack5
    • RFW
    • By RFW 22nd May 14, 4:44 PM
    • 8,930 Posts
    • 5,150 Thanks
    RFW
    The Twitter account of user “oneEyedJack5” indicates the extent of the scams and fraud taking place:
    https://twitter.com/OneEyedJack5
    Originally posted by frank potter
    One eyed Jack sounds wild
    .
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

3,195Posts Today

6,940Users online

Martin's Twitter
  • I mean really is this worth a news story (slightly frustrating that to tweet the ridiculous nature of this click ba? https://t.co/4ADi7coREG

  • The maths is wrong. Even if MPs weren't given a penny by the state in salary or expenses, it'd save a trivial count? https://t.co/Kgskcjd6eG

  • What an utterly depressing watch this is. I think the MP handles it as well as possible. Good on him for not just t? https://t.co/LrSY56HbPA

  • Follow Martin