Feeds

eBay faces MULTIPLE PROBES into mega-breach

US attorneys-general and UK ICO probing circumstances around massive security breach

The Power of One eBook: Top reasons to choose HP BladeSystem

eBay is facing multiple investigations after a security breach that spilled the personal information of 145 million users, along with their passwords, which were encrypted in some as-yet-unknown way.

The online tat bazaar is being hit from both sides of the Atlantic today, with state attorneys-general in the US launching a joint inquiry while the Information Commissioner in the UK told various media outlets that his office is actively looking into starting a formal investigation.

The ICO’s Twitter account reported Christopher Graham telling BBC Radio this morning that the data watchdog was considering a probe of the eBay hack.

“eBay is, on the face of it, a very serious breach,” he said. “The message for business is you’ve got to be better at security and you’ve got to be better with our personal data.”

Graham told Sky News that while he didn’t want to pre-empt a formal inquiry, his team had previously fined Sony £250,000 for its data breach.

The commissioner also warned folks to be wary of phishing emails that might appear to be from eBay and to only change their password directly on the eBay website.

Over in the US, Connecticut Attorney General George Jepsen had the same advice for eBay users in the state and also warned that his office would be looking into the breach, “as well as the steps eBay is taking to prevent any future incidents”.

Florida and Illinois have also started investigations into the hack, while New York’s AG Eric Schneiderman called for the online marketplace to provide free credit-monitoring services to its users.

“The news that eBay has discovered a security breach involving customer data is deeply concerning,” he said.

“New Yorkers and eBay customers across the country trust that retailers will protect their personal information when they shop online. Our office has asked and fully expects eBay to provide free credit monitoring services to customers impacted by this breach.”

eBay’s databases were hacked some time between late February and early March by attackers who used employee login details to get into the corporate system. The firm only became aware of the attack recently and issued a statement earlier this week that personal information like names, addresses and phone numbers had been stolen, along with encrypted login details, but no financial data had been lifted.

The marketplace has faced a lot of criticism for its handling of the breach. Security experts continue to pressure eBay to reveal just how user passwords were encrypted so they can assess how easy it would be for criminals to decode them. Spokeswoman Amanda Miller has said that the website uses “sophisticated, proprietary hashing and salting technology to protect passwords”, but experts want more technical detail on how that works.

Users are also taking to forums to criticise how eBay has, or has not, informed people about the breach. Many eBay customers took to its forum to complain that they found out about the breach from the media, instead of from the company itself.

“Informing paying customers is just the right thing to do, leaving it to the BBC to do is just disrespectful!” one user said.

“If EBay has asked its users to change their passwords, then they missed me,” another complained. “I’ve not seen any notice on the site, and I haven't received a message either. What's more, there's no announcement in the "news" section either. Not only have they been "compromised" but they also seemingly can't be bothered to let their users know either.”

Even today, nearly three days after the initial announcement, users still haven’t received any direct emails explaining the breach or advising them on what to do.

eBay had not returned a request for comment on any of these issues at the time of publication. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.