Feeds

eBay faces MULTIPLE PROBES into mega-breach

US attorneys-general and UK ICO probing circumstances around massive security breach

Securing Web Applications Made Simple and Scalable

eBay is facing multiple investigations after a security breach that spilled the personal information of 145 million users, along with their passwords, which were encrypted in some as-yet-unknown way.

The online tat bazaar is being hit from both sides of the Atlantic today, with state attorneys-general in the US launching a joint inquiry while the Information Commissioner in the UK told various media outlets that his office is actively looking into starting a formal investigation.

The ICO’s Twitter account reported Christopher Graham telling BBC Radio this morning that the data watchdog was considering a probe of the eBay hack.

“eBay is, on the face of it, a very serious breach,” he said. “The message for business is you’ve got to be better at security and you’ve got to be better with our personal data.”

Graham told Sky News that while he didn’t want to pre-empt a formal inquiry, his team had previously fined Sony £250,000 for its data breach.

The commissioner also warned folks to be wary of phishing emails that might appear to be from eBay and to only change their password directly on the eBay website.

Over in the US, Connecticut Attorney General George Jepsen had the same advice for eBay users in the state and also warned that his office would be looking into the breach, “as well as the steps eBay is taking to prevent any future incidents”.

Florida and Illinois have also started investigations into the hack, while New York’s AG Eric Schneiderman called for the online marketplace to provide free credit-monitoring services to its users.

“The news that eBay has discovered a security breach involving customer data is deeply concerning,” he said.

“New Yorkers and eBay customers across the country trust that retailers will protect their personal information when they shop online. Our office has asked and fully expects eBay to provide free credit monitoring services to customers impacted by this breach.”

eBay’s databases were hacked some time between late February and early March by attackers who used employee login details to get into the corporate system. The firm only became aware of the attack recently and issued a statement earlier this week that personal information like names, addresses and phone numbers had been stolen, along with encrypted login details, but no financial data had been lifted.

The marketplace has faced a lot of criticism for its handling of the breach. Security experts continue to pressure eBay to reveal just how user passwords were encrypted so they can assess how easy it would be for criminals to decode them. Spokeswoman Amanda Miller has said that the website uses “sophisticated, proprietary hashing and salting technology to protect passwords”, but experts want more technical detail on how that works.

Users are also taking to forums to criticise how eBay has, or has not, informed people about the breach. Many eBay customers took to its forum to complain that they found out about the breach from the media, instead of from the company itself.

“Informing paying customers is just the right thing to do, leaving it to the BBC to do is just disrespectful!” one user said.

“If EBay has asked its users to change their passwords, then they missed me,” another complained. “I’ve not seen any notice on the site, and I haven't received a message either. What's more, there's no announcement in the "news" section either. Not only have they been "compromised" but they also seemingly can't be bothered to let their users know either.”

Even today, nearly three days after the initial announcement, users still haven’t received any direct emails explaining the breach or advising them on what to do.

eBay had not returned a request for comment on any of these issues at the time of publication. ®

Mobile application security vulnerability report

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you on YouPorn lately, perhaps? White House website?
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.