As I am sure you are all aware now, the titan of online auction sites revealed last week that it had been breached sometime between February and March. It also came to light that whomever was responsible for the breach had made off with user passwords and other non-financial information such as names, email addresses, physical addresses, phone numbers and dates of birth.
At this time we are unaware of who stole this information or how they did so, but we do know the company has a job on its hands in terms of responding to the incident. Many security professionals think that eBay has not performed well in this respect, especially in terms of communicating what happened to its customers. And I agree.
I can understand why there could be a delay between the company discovering the breach and informing the millions of people who use its various sites as it would wish to examine the extent of the breach, patch any discovered holes and bring law enforcement in to begin an investigation.
But what is telling in this case is the fact that news outlets and bloggers were divulging far more than eBay from the moment the breach became known. Those same news sources were also giving out sound advice from the beginning whilst we waited for eBay to even alert users via its sites.
Considering the fact that passwords have been taken, I think it was imperative that the company send out an email to all of its customers without delay.
Even though eBay has confirmed via Twitter that the encrypted passwords were hashed and salted –
“We store encrypted passwords that have been hashed and salted. No evidence shown that the encryption on passwords has been broken.”
– there is no word on the type of algorithm used and nor will there be it seems. Also, given the fact that we know many users employ basic passwords (and eBay allows them to do so), and that they will likely re-use those passwords across the web, communication from the auction site becomes even more important.
Given that, I was surprised that it took until this morning, some 5 days after I had already changed my own password, to receive the first piece of communication from the company:
Which, in my opinion, is too little, too late.
Not only has eBay taken some time to send this email out – and none of my friends or family have even received this notification yet – but it also fails to mention any concerns over the theft of personal information, choosing to emphasise how no financial information was directly taken.
Not good enough in my opinion, and still not a comprehensive enough response as I personally know many people who still haven’t changed their passwords, despite advice, because they are waiting for official word from eBay.
When they will get that is anyone’s guess right now.
Have you received a password reset email from eBay yet?