Feeds

eBay faces MULTIPLE PROBES into mega-breach

US attorneys-general and UK ICO probing circumstances around massive security breach

Using blade systems to cut costs and sharpen efficiencies

eBay is facing multiple investigations after a security breach that spilled the personal information of 145 million users, along with their passwords, which were encrypted in some as-yet-unknown way.

The online tat bazaar is being hit from both sides of the Atlantic today, with state attorneys-general in the US launching a joint inquiry while the Information Commissioner in the UK told various media outlets that his office is actively looking into starting a formal investigation.

The ICO’s Twitter account reported Christopher Graham telling BBC Radio this morning that the data watchdog was considering a probe of the eBay hack.

“eBay is, on the face of it, a very serious breach,” he said. “The message for business is you’ve got to be better at security and you’ve got to be better with our personal data.”

Graham told Sky News that while he didn’t want to pre-empt a formal inquiry, his team had previously fined Sony £250,000 for its data breach.

The commissioner also warned folks to be wary of phishing emails that might appear to be from eBay and to only change their password directly on the eBay website.

Over in the US, Connecticut Attorney General George Jepsen had the same advice for eBay users in the state and also warned that his office would be looking into the breach, “as well as the steps eBay is taking to prevent any future incidents”.

Florida and Illinois have also started investigations into the hack, while New York’s AG Eric Schneiderman called for the online marketplace to provide free credit-monitoring services to its users.

“The news that eBay has discovered a security breach involving customer data is deeply concerning,” he said.

“New Yorkers and eBay customers across the country trust that retailers will protect their personal information when they shop online. Our office has asked and fully expects eBay to provide free credit monitoring services to customers impacted by this breach.”

eBay’s databases were hacked some time between late February and early March by attackers who used employee login details to get into the corporate system. The firm only became aware of the attack recently and issued a statement earlier this week that personal information like names, addresses and phone numbers had been stolen, along with encrypted login details, but no financial data had been lifted.

The marketplace has faced a lot of criticism for its handling of the breach. Security experts continue to pressure eBay to reveal just how user passwords were encrypted so they can assess how easy it would be for criminals to decode them. Spokeswoman Amanda Miller has said that the website uses “sophisticated, proprietary hashing and salting technology to protect passwords”, but experts want more technical detail on how that works.

Users are also taking to forums to criticise how eBay has, or has not, informed people about the breach. Many eBay customers took to its forum to complain that they found out about the breach from the media, instead of from the company itself.

“Informing paying customers is just the right thing to do, leaving it to the BBC to do is just disrespectful!” one user said.

“If EBay has asked its users to change their passwords, then they missed me,” another complained. “I’ve not seen any notice on the site, and I haven't received a message either. What's more, there's no announcement in the "news" section either. Not only have they been "compromised" but they also seemingly can't be bothered to let their users know either.”

Even today, nearly three days after the initial announcement, users still haven’t received any direct emails explaining the breach or advising them on what to do.

eBay had not returned a request for comment on any of these issues at the time of publication. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.