Feeds

eBay faces MULTIPLE PROBES into mega-breach

US attorneys-general and UK ICO probing circumstances around massive security breach

Protecting against web application threats using SSL

eBay is facing multiple investigations after a security breach that spilled the personal information of 145 million users, along with their passwords, which were encrypted in some as-yet-unknown way.

The online tat bazaar is being hit from both sides of the Atlantic today, with state attorneys-general in the US launching a joint inquiry while the Information Commissioner in the UK told various media outlets that his office is actively looking into starting a formal investigation.

The ICO’s Twitter account reported Christopher Graham telling BBC Radio this morning that the data watchdog was considering a probe of the eBay hack.

“eBay is, on the face of it, a very serious breach,” he said. “The message for business is you’ve got to be better at security and you’ve got to be better with our personal data.”

Graham told Sky News that while he didn’t want to pre-empt a formal inquiry, his team had previously fined Sony £250,000 for its data breach.

The commissioner also warned folks to be wary of phishing emails that might appear to be from eBay and to only change their password directly on the eBay website.

Over in the US, Connecticut Attorney General George Jepsen had the same advice for eBay users in the state and also warned that his office would be looking into the breach, “as well as the steps eBay is taking to prevent any future incidents”.

Florida and Illinois have also started investigations into the hack, while New York’s AG Eric Schneiderman called for the online marketplace to provide free credit-monitoring services to its users.

“The news that eBay has discovered a security breach involving customer data is deeply concerning,” he said.

“New Yorkers and eBay customers across the country trust that retailers will protect their personal information when they shop online. Our office has asked and fully expects eBay to provide free credit monitoring services to customers impacted by this breach.”

eBay’s databases were hacked some time between late February and early March by attackers who used employee login details to get into the corporate system. The firm only became aware of the attack recently and issued a statement earlier this week that personal information like names, addresses and phone numbers had been stolen, along with encrypted login details, but no financial data had been lifted.

The marketplace has faced a lot of criticism for its handling of the breach. Security experts continue to pressure eBay to reveal just how user passwords were encrypted so they can assess how easy it would be for criminals to decode them. Spokeswoman Amanda Miller has said that the website uses “sophisticated, proprietary hashing and salting technology to protect passwords”, but experts want more technical detail on how that works.

Users are also taking to forums to criticise how eBay has, or has not, informed people about the breach. Many eBay customers took to its forum to complain that they found out about the breach from the media, instead of from the company itself.

“Informing paying customers is just the right thing to do, leaving it to the BBC to do is just disrespectful!” one user said.

“If EBay has asked its users to change their passwords, then they missed me,” another complained. “I’ve not seen any notice on the site, and I haven't received a message either. What's more, there's no announcement in the "news" section either. Not only have they been "compromised" but they also seemingly can't be bothered to let their users know either.”

Even today, nearly three days after the initial announcement, users still haven’t received any direct emails explaining the breach or advising them on what to do.

eBay had not returned a request for comment on any of these issues at the time of publication. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.