How not to handle a security breach, the eBay way
You can’t have failed to notice by now that eBay has had a bit of a problem relating to leaked user data. The mainstream media was all over the story yesterday -- you know things are bad when the TV news takes notice of IT matters.
To reprise the facts it seems that attackers gained access to a number of eBay employee login credentials which allowed them to access the auction site’s systems. This may have happened as long as three months back but the company only became aware of it around two weeks ago.
According to a post on eBay's corporate pages, "The database, which was compromised between late February and early March, included eBay customers' name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information".
This in itself is bad enough as it means hackers could have been busy on decrypting passwords for weeks. What makes it worse though is the way eBay has handled the problem.
Hints that something was wrong started to appear yesterday morning -- early afternoon here in the UK -- when a post appeared on the PayPal Forward blog. This disappeared again fairly quickly, leading industry watchers to believe it may have been posted in error as part of test of security procedures.
A couple of hours later though it was back for good, along with the eBay corporate post. That sparked the interest of the media but at this point the company wasn't doing anything to alert its 128 million users.
As of 4pm EDT yesterday there was no warning on the eBay homepage, there were no emails to customers, there was no forced password reset when you logged in. There was information on the site but you had to click through several links in order to find it.
Today it seems eBay is finally starting to get its act together. There's now a prominent banner on the site, click it and you're taken to a message from Devin Wenig, President, eBay Marketplaces. This advises that next time you visit the site you should, "Take a moment to change your password. You can do this in the 'My eBay' section under account settings. This will help further protect you; it’s always a good practice to periodically update your password. Millions of eBay users already have updated their passwords".
That's a start, but it really should be enforcing a password change not just asking nicely. And it should be informing users by email rather than waiting for them to login. It sends out marketing emails regularly so we know it has the mechanism in place.
Finally it's about time eBay offered two-factor authentication via a mobile phone. Currently the only way you can get 2FA on eBay is if you’ve signed up -- and paid -- for a PayPal security key gadget. Odd that because the PayPal site itself allows you to use your mobile as an alternative.
The message here for all companies is that when a major security problem occurs you need to take a proactive approach to alerting customers. Letting the story slip out via stealth and triggering a media storm before you inform your customers really isn't good enough.