From Today Online:
NEW YORK — E-commerce company eBay said client identity information including emails, addresses and birthdays were stolen in a hacking attack between late February and early March.

eBay urged users to change their passwords after the attack on a database that also contained encrypted passwords, physical addresses and phone numbers.

It said it found no evidence of any unauthorised access to financial or credit card information.

eBay shares fell as much as 3.2 per cent after the latest high-profile hacking attack on the United States company.

“For the time being, we cannot comment on the specific number of accounts impacted. However, we believe there may be a large number of accounts involved and we are asking all eBay users to change their passwords,” eBay spokesman Kari Ramirez said.

The attack was made through compromised employee accounts that allowed unauthorised access to its corporate network, the company said in a statement. It said the breach was first detected about two weeks ago.

The company said it found no evidence of unauthorised access to personal or financial information for users of its online payment service, PayPal.

eBay earlier issued a notice on its PayPal website asking users to change their passwords, but took down the message a short time later without explanation.

The message headline was “eBay Inc To Ask All eBay Users To Change Passwords” but had no other information other than the words “place holder text”. www.todayonline.com/tech/ebay-database-hacked (http://www.todayonline.com/tech/ebay-database-hacked)

According to a security expert on BBC R5, the data taken has the potential to aid identity theft.

I'm always both surprised and curious when large companies are 'hacked' and loads of information is taken. Is it that the hackers are 2 steps ahead of the (hopefully) top class cyber security, or is it that the security is too lackadaisical whilst pretending to be the opposite ?

Is it that the hackers are 2 steps ahead of the (hopefully) top class cyber security, or is it that the security is too lackadaisical whilst pretending to be the opposite ?


It could be either or both. Although to be honest, for a high profile site such as eBay, its very unlikely to be the latter since they no doubt get everything including the kitchen sink thrown at their infrastructure by mischievous individuals every single day.

The fact of the matter is that exploits come thick and fast as innovative new techniques emerge from ever creative minds. Once your infrastructure grows to the size of eBay it all becomes one big game of cat and mouse... because updates take so long to roll out - both due to the testing process in staging before rolling out to production, as well as the sheer number of assets across your estate that need to be updated.

From the reports that I have herd (BBC R4); Name and address + date of birth details and login password have been lost; commencing from February 2014.

If this is the case, i would contend that the statement "No financial data has been lost" is open to question. What personal details do you need to open a Credit card A/C ?

Was the "personal data" of their customers held as plain-text on their servers ? or was encryption used ?

The whole Internet retail industry is increasingly looking to be a Retail-Fest devoid of integrity.

[Edit:Give me a reason why a vendor would want your Date of birth ! outside Marketing Profile reasons i.e. not a valid reason]

CAT III

The attack was made through compromised employee accounts

There is always a weakest link - in this case virtually no amount of cyber security is going to protect from an attack from within the fortress.

SD

Of course, one way to rekindle interest in your product is to get all users past and present to log in. To achieve that you could invent a story about accounts being hacked and that everybody now needs to change their password.

If only you saw some of the tools I came across that had the word "Digital" in their job title and wouldn't hesitate doing such a scam. They didn't succeed because we wouldn't let them.

There was an occasion about 20 years ago when my boss and I needed to make some urgent changes to a paper that was going to the board the next day. His secretary had just gone off on a walking holiday, and the document was secure in her section of the company system.

It took the two of us about five minutes to "hack" the security system, change her password, and do the necessary to access the document.

Like all security, it's only as good as the people thinking about it. They will armour plate and treble-secure the front door, windows etc. But they'll leave the back door open for the staff to come and go. Anyone with a bit of nous can get in that way.

Not much has changed in those 20 years.

It said it found no evidence of any unauthorised access to financial or credit card information.

Well hang on a minute, credit card and bank details are held by PayPal and not by eBay. Whilst eBay may own PayPal are eBay admitting that eBay in themselves hold financial and credit/debit card information?

Yes, ebay holds financial information - how else do you think it debits seller fees?

If you haven't got a seller account it may not need that information.

SD

Phileas Fogg:Whilst eBay may own PayPal are eBay admitting that eBay in themselves hold financial and credit/debit card information?Yes, indeed. If you're a seller who isn't a "casual seller", or an eBay store owner, eBay require you to put on record, account or CC details to enable them to take funds from that account or CC when you owe them money for sales.

The part that makes me angry is that eBay is always intent on improving returns to eBay - but they care so little about their clients private and important details, that they don't even encrypt your name, address, email, birthdate, and phone number.

CC companies encrypt all your private information, and they offer fraud protection as well. eBay offer you nothing.

The media state that eBay is emailing clients advising them to change their password. Nothing of the kind has happened - there's only a message on the home page of eBay advising you to change your password.

These stolen details are gold for scammers, and they now have 145,000,000 users details to on-sell to every scammer on Earth.
I trust that someone starts a class-action against eBay for failure to take basic precautions with vital personal information.

There's a message doing the rounds that someone is offering all these eBay details for sale, already.

EBay users still at risk following cyber attack, even if they changed passwords (http://www.watoday.com.au/it-pro/security-it/ebay-users-still-at-risk-following-cyber-attack-even-if-they-changed-passwords-20140523-zrlzk.html)

eBay seller details for sale. Payment in BitCoins - http://pastebin.com/vmvjGw3N

eBay seller details for sale. Payment in BitCoins - http://pastebin.com/vmvjGw3N

Should be noted that some sources suggest Mr/Mrs "KbcdPfA‬" is a fake.

Wouldn't surprise me in the least that there are scammers out there cashing in, not that people attempting to buy illegal data deserve much protection of course !

At least payment is in Bitcoin which means you can watch how many scum fall for the bait... https://blockchain.info/address/1e4aLP3jKD9wRAcSRNVb7VHbd7KbcdPfA

(Also another good reason to regulate bitcoin more heavily !)

Yes, ebay holds financial information - how else do you think it debits seller fees?

Yes, indeed. If you're a seller who isn't a "casual seller", or an eBay store owner, eBay require you to put on record, account or CC details to enable them to take funds from that account or CC when you owe them money for sales.

I was a seller on eBay and when I sold then monies went in to my PayPal account and come the end of each month eBay had a, so to speak, direct debit arrangement with my PayPal account to take any listing fees and/or seller fees from my PayPal account.

My card and bank account details were only ever registered with PayPal and never with eBay!

Phileas - You must have joined eBay early in the piece, before they tightened up the financial requirements. eBay hates losing money, and they didn't take long to ensure they got paid, when a seller didn't pay on time.
I used to be a store owner on eBay, but they got too hungry, and they didn't want "hobby" sellers, only the "biggies" with massive turnover.
It suits me fine, I rarely go there now, because there's plenty of alternatives - mostly in the sellers own websites - and I have no need to deal with their rapaciousness.
Everything on eBay is slanted in eBays favour, there's no fairness, no adjudication, no longer any ability to leave negative feedback for scumbag buyers, and no longer any good feeling when dealing with them.

onetrack,

I totally agree, eBay are a'holes, alas where I live now buying on eBay can be cheaper and better quality than the cr@p I can buy here locally on Siargao Island.

Well so much for advising you to change passwords. Now you can't get in unless you change your password. I've allegedly been sent 3 texts and phone calls to my phone, with a new PIN to get in, but haven't seen sight nor sound of them. Useless cnuts. They're quick enough at finding more ways to screw you for money. It obviously isn't being spent on security though.