ebay hacked (change passwords)

21-05-2014 6:08pm #1

News reports of ebay being hacked, all users are recommended to change passwords.

Hackers apparently may have gained access to customer names, addresses, birth dates, phone numbers and email addresses.
No reports of financial data being compromised as of yet.

stevek93 · 21-05-2014 6:12pm

http://www.dailymail.co.uk/sciencetech/article-2635053/Use-eBay-Then-change-password-NOW-Site-requests-users-change-personal-details-dont-explain-why.html

I'd say this has something to do with the recent SSL exploit. Whatever its called.

Kinet1c · 21-05-2014 7:51pm

No prompt to change it when I login or no message in my account to change it.

21-05-2014 8:05pm

Neither did I when I logged in earlier but it is all over the news at the moment. I changed my password anyway.

ebay are still investigating and will probably start contacting users over the next 24hrs but they have already recommended users to change passwords via the media. The fact that a large company such as ebay could be hacked is quite worrying. :eek:

Mearings · 21-05-2014 8:23pm

I've just spent a frustrating hour trying to cancel my ebay.uk account which I have not used in 2 years. Problem is I cannot remember my password, they give me a choice between answering security questions, to which they say that I am incorrect replying to one or both, or receive a phone call, except that the number they have is out of date.
Is there any way of contacting ebay.uk directly?
Thanks

Rucking_Fetard · 21-05-2014 9:48pm

It wasn't hacked, it says

Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.

The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.

so I'd say the employees followed dodgy links, had spyware or some such.

E-mail to change passwords is incoming.

ebayinc.com/in_the_news/story/ebay-inc-ask-ebay-users-change-passwords

21-05-2014 10:11pm

Did you actually read the first line of your quote?

"Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network"

So yes it is a form of hacking

Rucking_Fetard · 21-05-2014 10:30pm

Deleted User wrote: »

Did you actually read the first line of your quote?

"Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network"

So yes it is a form of hacking

Ahh, I suppose.

It wasn't Crazy Mad Skillz by some Ganja smoking, Club Mate drinking Black Hat is all.

It's most likely someone that should have known alot better clicking something they shouldn't.

OldMrBrennan83 · 21-05-2014 10:32pm

This post has been deleted.

Mearings · 21-05-2014 10:36pm

Mearings wrote: »

I've just spent a frustrating hour trying to cancel my ebay.uk account which I have not used in 2 years. Problem is I cannot remember my password, they give me a choice between answering security questions, to which they say that I am incorrect replying to one or both, or receive a phone call, except that the number they have is out of date.
Is there any way of contacting ebay.uk directly?
Thanks

Managed to change my contact details as my laptop remembered password
(??!). Have now changed my password & will cancel when more alert.

Blowfish · 22-05-2014 12:38am

Rucking_Fetard wrote: »

Ahh, I suppose.

It wasn't Crazy Mad Skillz by some Ganja smoking, Club Mate drinking Black Hat is all.

It's most likely someone that should have known alot better clicking something they shouldn't.

It's how the vast majority of compromises occur. A simple spear phish with a link to either malware or fake form asking for credentials. Then it's just a matter of privilege escalation.

Rucking_Fetard · 22-05-2014 12:47am

Blowfish wrote: »

It's how the vast majority of compromises occur. A simple spear phish with a link to either malware or fake form asking for credentials. Then it's just a matter of privilege escalation.

uh uh, was reading a good pdf on this yesterday....gimme a sec....

Edit: Well not really bout that but ways used (by NSA) to get around security measures in Games Consoles, Phones, cameras, TVs without having to like, "attack it".

Some good bits in it.

regmedia.co.uk/2014/05/16/0955_peter_gutmann.pdf

old_aussie · 22-05-2014 1:08am

"After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats".

http://www.businesswire.com/news/home/20140521005813/en/eBay-To%C2%A0Ask-eBay-Users-Change-Passwords#.U3ysFi8ZfH3

They will still recommend users change their passwords.

No request as of yet from eBay to change my password.

Dermot Illogical · 22-05-2014 12:15pm

old_aussie wrote: »

"After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats".

It always gets me that these companies think I'll be reassured that my financial details haven't been compromised. I can change my financials if they've been compromised. I can't change my phone and address so easily.

Rucking_Fetard · 22-05-2014 5:00pm

User database (apparently) for sale for 1.453 BTC

pastebin.com/vmvjGw3N

And I'm off to change my password...which if they were ANY GOOD they would have MADE me do yesterday.

lurker2000 · 23-05-2014 7:59am

I never got an email from ebay to change my password....it might be a coincidence but last Sunday 150 emails were sent out by my gmail account to random addresses in my account. I was only alerted when some old numbers bounced back as undelivered. Luckily I saw that within 15 minutes. I had to email everyone on the list to delete the previous email...very annoying and very embarrassing as some of the contacts were people I didn't actually want to correspond with again....

Anyway, I never ever have given my gmail password to anyone BUT it was the same as my ebay password...obviously I've changed all passwords now.....and deleted the addresses that I don't want to correspond with again!

Be warned.

PrzemoF · 23-05-2014 9:15am

I just got a fake email from PayPal that my account has been banned. I'm not sure how close is ebay to paypal, but I remember I refused a few times to link the accounts.

Rucking_Fetard · 24-05-2014 5:32pm

Seems their were told about a different vulnerability on their site two months ago aswell and couldn't care less.

slashdot.org/story/14/05/24/1334243/severe-vulnerability-at-ebays-website

"The German security expert Micheal E. discovered the persistent cross-site scripting vulnerability on eBay's website about two months ago and said he reported it to Ebay immediately. Ebay ceased to answer his emails, after writing that they considered it a mostly harmless error. Micheal E. sent Golem.de a PoC demonstrating that the error that has not yet been fixed. An attacker can manipulate an official auctioning web page and insert Javascript code. By visiting the malicious web page the code is executed by the victim and could potentially be used by the attacker to to execute arbitrary actions in the victim's Ebay account and gain full control over it. There is probably no connection to the reported a few days ago. The XSS flaw can only be used to attack one victim at a time."

Khannie · 26-05-2014 5:00pm

Just got this email from them:

IMPORTANT: PASSWORD UPDATE

Dear eBay Member,

To help ensure customers' trust and security on eBay, I am asking all eBay users to change their passwords.

Here's why: Recently, our company discovered a cyberattack on our corporate information network. This attack compromised a database containing eBay user passwords.

What's important for you to know: We have no evidence that your financial information was accessed or compromised. And your password was encrypted.

What I ask of you:
Go to eBay and change your password. If you changed your password on May 21 or later, we do not need you to take any additional action at this time.

Changing your password may be inconvenient. I realize that. We are doing everything we can to protect your data and changing your password is an extra precautionary step, in addition to the other security measures we have in place.

If you have only visited eBay as a guest user, we do not have a password on file.

If you used the same eBay password on any other site, I encourage you to change your password on those sites too. And if you are a PayPal user, we have no evidence that this attack affected your PayPal account or any PayPal financial information, which is encrypted and stored on a separate secure network.

Here are other steps we are taking:
As always, we have strong protections in place for both buyers and sellers in the event of any unauthorized activity on your account.
We are applying additional security to protect our customers.
We are working with law enforcement and leading security experts to aggressively investigate the matter.

Here's what we know: This attack occurred between late February and early March and resulted in unauthorized access to a database of eBay users that includes customers' name, encrypted password, email address, physical address, phone number and date of birth.

However, the file did not contain financial information. And, after conducting extensive testing and analysis of our systems, we have no evidence that any customer financial or credit card information was involved. We also have no indication of a significant spike in fraudulent activity on our site.

We apologize for any inconvenience or concern that this situation may cause you. As a global marketplace, nothing is more important to eBay than the security and trust of our customers. We know our customers have high expectations of us, and we are committed to ensuring a safe and secure online experience for you on any connected device.

Can't believe they've known for this long and not told the public. Anyone who uses their ebay password elsewhere (i.e. most of the public) could have had their password cracked and been seriously compromised by this and ebay would know nothing about it. That they have seen no spike in fraud means *nothing*.

Blowfish · 26-05-2014 5:31pm

I haven't gotten any notification from them, had you changed your pw already prior to their mail?

PrzemoF · 26-05-2014 5:31pm

It's just 128000000 accounts. Not a big deal... :eek:

I got the same thing and I really like this part:
"We have no evidence that your financial information was accessed or compromised"

Translated to user language: "We have no evidence that it has not been accessed or compromised either"

PrzemoF · 26-05-2014 5:31pm

Blowfish wrote: »

I haven't gotten any notification from them, had you changed your pw already prior to their mail?

I did.

Khannie · 26-05-2014 9:43pm

Blowfish wrote: »

I haven't gotten any notification from them, had you changed your pw already prior to their mail?

I didn't. It's a ridiculously long and complex password and I only use it on that site. If someone cracks it, fair fcuks to them tbh.

industrialhorse · 27-05-2014 9:22am

I got the same email too this morning. Found a few traces of bad grammar which was enough to turn me off but I am mostly irritated by the fact that they have only decided now that an email from the "President of Global Ebay Marketplace" would be most appropriate to spring users into action and change their passwords. Was it not plainly obvious from the notice on the eBay homepage that users are being told that it is important to change their passwords and not just being given some friendly advice?
I have already sent an email around the workplace advising eBay users to change their passwords (along with their PayPal passwords) and not to be deceived by any emails purporting to be from eBay. I really hope that none of them receive the same email from eBay this morning and start forwarding them onto me cos I really aint got the time to be dealing with eBay's sh*t.......though I did happily set some time aside for this rant:D

Khannie · 27-05-2014 11:31am

industrialhorse wrote: »

Was it not plainly obvious from the notice on the eBay homepage that users are being told that it is important to change their passwords and not just being given some friendly advice?

I didn't visit the ebay front page.

rankingelite · 28-05-2014 6:58pm

Just got the email today, I was worried because my ebay is linked to my paypal and my paypal is linked to my bank account

stevek93 · 28-05-2014 11:59pm

Dear eBay Member,

To help ensure customers' trust and security on eBay, I am asking all eBay users to change their passwords.

Here's why: Recently, our company discovered a cyberattack on our corporate information network. This attack compromised a database containing eBay user passwords.

What's important for you to know: We have no evidence that your financial information was accessed or compromised. And your password was encrypted.

What I ask of you:
Go to eBay and change your password. If you changed your password on May 21 or later, we do not need you to take any additional action at this time.

Changing your password may be inconvenient. I realize that. We are doing everything we can to protect your data and changing your password is an extra precautionary step, in addition to the other security measures we have in place.

If you have only visited eBay as a guest user, we do not have a password on file.

If you used the same eBay password on any other site, I encourage you to change your password on those sites too. And if you are a PayPal user, we have no evidence that this attack affected your PayPal account or any PayPal financial information, which is encrypted and stored on a separate secure network.

Here are other steps we are taking:

As always, we have strong protections in place for both buyers and sellers in the event of any unauthorized activity on your account.
We are applying additional security to protect our customers.
We are working with law enforcement and leading security experts to aggressively investigate the matter.

Here's what we know: This attack occurred between late February and early March and resulted in unauthorized access to a database of eBay users that includes customers' name, encrypted password, email address, physical address, phone number and date of birth.

However, the file did not contain financial information. And, after conducting extensive testing and analysis of our systems, we have no evidence that any customer financial or credit card information was involved. We also have no indication of a significant spike in fraudulent activity on our site.

We apologize for any inconvenience or concern that this situation may cause you. As a global marketplace, nothing is more important to eBay than the security and trust of our customers. We know our customers have high expectations of us, and we are committed to ensuring a safe and secure online experience for you on any connected device.

Rucking_Fetard · 17-09-2014 10:45pm

Rucking_Fetard wrote: »

Seems their were told about a different vulnerability on their site two months ago aswell and couldn't care less.

slashdot.org/story/14/05/24/1334243/severe-vulnerability-at-ebays-website

"The German security expert Micheal E. discovered the persistent cross-site scripting vulnerability on eBay's website about two months ago and said he reported it to Ebay immediately. Ebay ceased to answer his emails, after writing that they considered it a mostly harmless error. Micheal E. sent Golem.de a PoC demonstrating that the error that has not yet been fixed. An attacker can manipulate an official auctioning web page and insert Javascript code. By visiting the malicious web page the code is executed by the victim and could potentially be used by the attacker to to execute arbitrary actions in the victim's Ebay account and gain full control over it. There is probably no connection to the reported a few days ago. The XSS flaw can only be used to attack one victim at a time."

And again...

eBay redirect attack puts buyers' credentials at risk

http://www.bbc.co.uk/news/technology-29241563

wandererz · 20-09-2014 11:27am

It's not surprising.

Listened to ebay's security guy at a an ISC2 launch event a few months ago talking about how they don't "block" or prevent but have an open policy of allowing everything through and doing post analysis, building their own systems etc. Everyone seemed rather impressed listening to someone from one of the big companies.

Apparently that no longer works as well as they thought huh?

Edit: According to the BBC, this flaw has existed for months
http://www.bbc.com/news/technology-29279213

Kur4mA · 20-09-2014 1:55pm

Wrong, wrong, and wrong. This started due to a terrible and misinformed article by the BBC. It's not an XSS attack when nothing was injected into the page.

If you have a form available to all sellers which allows sellers to include HTML and some JavaScript in the description of their listings to jazz them up (which eBay and other marketplace websites do)... that is NOT an attack.

However, using that feature to include malicious code or redirects is a breach of one of eBay's most strict policies. Unfortunately, there are certain sellers who are banned from eBay and are able to circumvent filters to create new accounts and do this kind of thing... or the other type of seller who repeatedly falls for phishing emails which in turn allows a malicious person access to their account, and then those persons create these malicious listings on eBay.

http://pages.ebay.com/help/policies/listing-javascript.html

On this occasion, there was a simple redirect placed in some JavaScript of the listings description which sent users to a 3rd party website. This type of policy breach happens every day on eBay and other major marketplace websites.

This is not a "flaw that has existed for months", it is an issue which has existed for years. You can do 2 things:

1. Remove the ability for sellers to make their listings more interactive by blocking use of HTML/JavaScript, therefore making your marketplace fairly useless and a very dull affair

or

2. You can leave the feature there, and employ huge teams of people to check listings and take actions on items reported by other eBay members

eBay has opted for number 2. There is a reason eBay employs a huge number of people who are both proactively scouring the websites all day to pull malicious listings off the site, and responding to reports of items like the one in this BBC article. The BBC and the media in general have latched onto the new iPhone release and the fact that eBay has had security issues in the past and put this ridiculous story out there.

Hotblack Desiato · 26-09-2014 1:26am

I disagree, it is incredibly stupid and irresponsible for ebay to allow sellers to submit their own javascript to their listings. Rule no.1 of running a website, NEVER trust user input.

ebay hacked (change passwords)

Comments