May 21, 2014

EBay breach again highlights need for secure passwords

The online shopping site said a cyberattack compromised its customers’ personal information but that the online criminals did not get into PayPay.

The big countdown on eBay Wednesday meant changing your password before the hackers could crack open your account.

America’s online yard sale spent the day telling its 145 million active users that it had a security breach. Change your password, as a precaution, it said.

The call to action comes after Target’s huge data breach last fall and barely a month after many popular websites advised us to change our passwords because of the Heartbleed bug.

April’s discovery of Heartbleed revealed that software specifically designed to shield consumers from cybercriminals had a flaw that left passwords vulnerable for up to two years. Once sites fixed the flaw — Dropbox, Instagram, Facebook, Netflix, Flickr, Tumblr, Pinterest and more, according to — they urged customers to — you guessed it — reset their passwords.

In the wake of the ebay breach Wednesday, experts were reminding regular online consumers that they are a critical part of the Internet’s and websites’ online security systems. Companies can do a lot, maybe more, to keep our information secret. But our own diligence is a must.

That means keeping watch of your passwords, changing them often, and using passwords composed of genuinely random strings of letters, numbers and symbols of stealth. Too many unwary website consumers still use “password,” a pet’s name or some other easily deciphered phrase.

Experts also agree that the best protection is a unique password for each site. Too many of us tap the same secret script into every registration page we encounter.

“The crux of the problem today is not even that your eBay password got compromised,” said Brian Gregory, president of Network Innovations Inc. in Olathe. “If you use the same login on your banking site, all of a sudden it is a big deal.”

As data breaches go, eBay’s was relatively mild even though it took in an undisclosed but large number of customer accounts. Hackers gained no credit card numbers or other financial information, the company assured users and stockholders.

EBay also told customers there was “no evidence” of unauthorized activity in customers’ accounts, and that hackers didn’t get into the PayPal website that eBay owns. Many consumers routinely use PayPal to make payments online.

The stock of eBay, which is based in San Jose, Calif., fell by more than 3 percent in early trading Wednesday but closed only 8 cents lower at $51.88.

In comparison to the eBay breach, the break-in at Target stores during the height of the holiday shopping season exposed the financial information of 40 million customers and personal information of 70 million.

At eBay, the invaders gained access to a computer database that held the names, email addresses, street addresses, phone numbers and dates of birth of eBay users. It’s just the kind of stuff it helps to know if you want to prove your identity online.

“Folks have got to be on the lookout for phishing scams and other attacks which might exploit the breached data,” British security blogger Graham Cluley said in an email.

Phishing is when fraudsters try to gain personal information from consumers by posing as legitimate companies like eBay. EBay’s notice said such attacks typically follow data breaches and can involve a fake website, emails and texts using the brand.

EBay, nevertheless, said it would use email as one way to ask customers to change their passwords. That means customers will have to identify the company’s legitimate email from potential scams.

The hackers also made off with encrypted versions of its customers’ passwords, according to eBay. Cluley said hackers have broken encryption codes before.

Oddly, according to Cluley’s blog, the news of eBay’s problem broke on PayPal.

“A post has appeared on PayPal’s community site and press website claiming that eBay is going to ask all eBay users to change their passwords,” Cluley wrote early Wednesday.

It was just a PayPal headline and only three words — “place holder text” — appeared where the story should be. But the PayPal post suddenly disappeared, leaving Cluley to ponder about a possible “mischief-maker” afoot or maybe an inadvertent post from some “crisis management exercise.”

Or something really was wrong. Either way, he changed his eBay password.

Consumers who heed the calls to change their passwords frequently can get help from password managers. This inexpensive or sometimes free software will generate strong passwords for you, hold them securely through encryption and retrieve them when you visit sites.

“Then you have to trust the password manager,” said Gregory, the Olathe businessman, who uses LastPass to keep track of the 150 or so passwords he uses online.

LastPass was one of several password managers that reviewed last month after the Heartbleed news broke.

These products protect your passwords behind a master password. Some, according to PCmag, can be set up to require a fingerprint on top of the master password to authenticate the user.

While the eBay breach has experts again warning about the proper use of passwords, in fact they weren’t the weak link at eBay.

The company said its breach came about because “a small number of employee log-in credentials” had been “compromised” in a cyberattack. It gave hackers access to the company’s corporate network and then customers’ data.

EBay had discovered that about two weeks ago, investigated and discovered the breach of customers’ data had come in late February and early March.

EBay users responded skeptically on the company’s Facebook page.

Some were upset that the company took two weeks to go public with the discovery of an intrusion. Others ranted that eBay should be spending more of the money it collects to build better defenses.

Early Wednesday, doubts flourished about the credibility of tweets and posts that eBay had told anyone to change passwords. Consumers saw nothing on eBay’s home page and had gotten no message from the company.

“How do we know it isn’t your Facebook page that got hacked?” Christine Lehman, a Kansas City native and eBay user, wrote somewhat playfully on the company’s Facebook page.

EBay employees soon confirmed on Facebook that the message was correct.

The Associated Press contributed to this article.

To reach Mark Davis, call 816-234-4372 or send email to

Related content



Technology Videos