eBay Asks All Users to Change Password After Hack Attack
On May 21st eBay confirmed
that its corporate information network was attacked and a database
with users' encrypted passwords (and other non-financial data such as
name, email address, physical address, phone number, and date of birth)
was compromised. eBay is urging its customers to change their
passwords. eBay said it has no evidence of unauthorized use of
users' information on eBay.
PayPal (owned by eBay) stores information separate from eBay and eBay has no evidence that any PayPal data was compromised.
eBay began notifying users email, site communication, and other means to change their password.
Be very suspicious of fraudulent
scam ("phishing") email messages with links to change your
password. The links could be a scam to steal your username and
password. Only go to the eBay site by typing in the address in
your web browser (better yet, type it in a search using a browser with
a web reputation plug-in such as WOT, McAfee SiteAdvisor, or AVG LinkScanner to prevent a typing mistake from sending you to a squatter site).
When you change your password,
change it to something secure (complex). Make it hard for someone
else to guess, but easy for you to remember. Don't use your
username, your name, telephone number, street address, date of birth,
any word in the dictionary, patterns such as "qwerty", "123456",
"abc123", "111111", or "password1". Make it eight characters or
longer; longer is better. Make it a mixture of character types,
upper case letters, lower case letters, numbers, and special
characters. A good way to make a password more complex and secure
but easy to remember, is to make a pass phrase
and use a letter or symbol for each letter in the phrase. For
example the phrase "I like to go to the beach every Friday." becomes
When resetting your password, be
careful about answers to self-service password reset security questions
like "What is your mother's maiden name?", “Where did you go to
school?”, or “What is your favorite color?”. These questions are easy to find the answers
by mining social media sites or searching the Internet and hard for you
to remember. A hackers can find the answers to the site to reset
your password to a password the hacker can then use. (Sarah Palin's Yahoo! email password was reset by a hacker
in the 2008 presidential election using publicly available
information.) Instead I suggest lying when answering the security
questions. But remember what Abraham Lincoln said, "No man has a
good enough memory to be a successful liar."
If you used the same password at
other sites, change the password at those sites as well. Using
the same password on multiple sites opens you to attack if your
password at one of the sites is compromised as in this case.
Using a different password at each sites is a good practice.
If you have trouble remembering all the passwords, use a password manager such as LastPass, KeePass, RoboForm, or Password Safe.
The attack on eBay happened about
three months ago but eBay did not detect the problem until two weeks
ago. A few employees' log-in credentials were hijacked and that
provided access to the eBay corporate network.
eBay said that it believes that
they have shut down unauthorized access to their site and have put
additional measures in place to enhance security.
eBay Inc To Ask eBay Users To Change Passwords
eBay Blog - to ask users to change password
eBay FAQ on password change
If you need assistance with a security assessment, IT Professional
Services can help. Please contact us.
out more about our Managed
To find out how vulnerable your network is
schedule a free network security analysis today.