eBay – Change your passwords

Yep, this announcement was published by eBay and retracted and then put back out again. So yes, this is real.

EBay customers must reset passwords after major hack  CNN Money

Not just a rumor…as a precaution, in case the hackers are really good … time to change your ebay passwords. 

Hackers quietly broke into eBay two months ago and stole a database full of user information, the online auction site revealed Wednesday.

Criminals now have possession of eBay customer names, account passwords, email addresses, physical addresses, phone numbers and birth dates.

The company said the passwords were encrypted and are virtually impossible to be deciphered. Still, as a precaution, eBay is asking everyone to reset their passwords late Wednesday.

The company isn’t saying how many of its 148 million active accounts were affected — or even how many customers had information stored in that database. But an eBay spokeswoman said the hack impacted “a large number of accounts.”

eBay Suffers Massive Security Breach, All Users Must Change Their Passwords – May 21, 2014 – Forbes:

eBay is taking the breach extremely seriously stating that users employing the same password across eBay and other sites should also change those passwords. It stresses your eBay password should be unique.


eBay Inc. To Ask eBay Users To Change Passwords – eBay Announcements page (Posted May 21st, 2014 at 8:50 AM):

eBay Inc. To Ask eBay Users To Change Passwords

Earlier today eBay Inc. announced it is aware of unauthorized access to eBay systems that may have exposed some customer information. There is no evidence that financial data was compromised and there is no evidence that PayPal or our customers have been affected by the unauthorized access to eBay systems. We are working with law enforcement and leading security experts to aggressively investigate the matter.

As a precaution, we will be asking all eBay users (both buyers and sellers) to change their passwords later today. As a global marketplace, nothing is more important to eBay than the security and trust of our customers. We regret any inconvenience or concern that this situation may cause you.  We know our customers and partners have high expectations of us, and we are committed to ensuring a safe and secure online experience for you on any connected device.

Click here for updates and additional information.

– See more at: http://announcements…h.V13eaJ1m.dpuf

That Click here link above: Frequently Asked Questions on eBay Password Change – ebayinc.com:

What happened?

Our company recently discovered a cyberattack that comprised a small number of employee log in credentials, allowing unauthorized access to eBay’s corporate network.  As a result, a database containing encrypted password and other non-financial data was compromised.  There is no evidence of the compromise affecting accounts for Paypal users, and no evidence of any unauthorized access to personal, financial or credit card information, which is stored separately in encrypted formats.  The company is asking all eBay users to change their passwords.

What customer information was accessed?

The attack resulted in unauthorized access to a database of eBay users that included:

Customer name
Encrypted password
Email address
Physical address
Phone number
Date of birth

Was my financial information accessed?

The file did not contain financial information, and after conducting extensive testing and analysis of our systems, we have no evidence that any customer financial or credit card information was involved. Likewise, the file did not contain social security, taxpayer identification or national identification information.

Has the issue been resolved?

We believe we have shut down unauthorized access to our site and have put additional measures in place to enhance our security. We have seen no spike in fraudulent activity on the site.

BOLD RED emphasis mine.

More in the article.

I think there is some truth to this too:

eBay’s handling of cyber attack ‘slipshod’ – The Telegraph:

A British security expert has branded eBay’s reaction to a huge cyber attack “slipshod” as emails warning customers that their personal details were stolen have still not been sent out, almost 24 hours after news of the security breach was inadvertently leaked

I certainly would have appreciated an email (not with a link it it necessarily) but message within my eBay would have been good. I don’t click links in email but I would have gone to eBay announcements link at the bottom of every eBay page.

However, as a user, I really appreciate that eBay was forthcoming in the ebayinc.com FAQ.

I changed my eBay password as soon as I heard about it the first time. If you haven’t, please, go take care of that and make sure it is a unique password.

Advertisements

Heartbleed, OpenSSL and Perfect Forward Secrecy

If you want to know the quick and easy way to understand what Heartbleed is, How the Heartbleed Bug Works and what it means to you in very simple and elegant terms, there’s this wonderful xkcd cartoon today:

Heartbleed Explanation: How the Heartbleed Bug Works - xkcd.com - Click on image to go to the site to see it larger

Heartbleed Explanation: How the Heartbleed Bug Works – xkcd.com – Click on image to go to the site to see it larger

And that my friends is pretty much it in the nutshell.

Due to this ‘bug’ or what could be commonly called in days gone by as a type of buffer overflow condition causing leaking of information, sometimes serious and important information.

You will or at least you should be hearing from secure websites where you have made purchases and have accounts, as well as banks you use, and many more secure websites as they update their SSL Certificates.

Many have been working on this and many have already taken care of this on their servers.

Once it is taken care of, then you want to change your password but not before.

If the website was vulnerable, they should be contacting you, or when you login you will see a notice about it. Soundcloud.com was a good example. When I logged in today, they presented a banner across the top about the Heartbleed vulnerability.

When/If a secure website was vulnerable, they will be contacting you when they get this fixed on their website server, so you can change your password.

The sad thing is that this bug has been out there for at least 2 years!

Here’s a really good article about this in layman’s terms and there are several sites for testing supposedly secure websites for your banks, credit card companies, email, etc.:

Heartbleed OpenSSL Bug FAQ for Mac iPhone and iPad users – Intego.com Blog

What CERT and others are recommending to these websites that are vulnerable is to implement Perfect Forward Secrecy like StartPage.com and ixquick.com where they have this knowledge base article:
“Heartbleed” is a security vulnerability in OpenSSL (Secure Socket Layer) encryption that permits eavesdropping on communications and access to sensitive data such as passwords. Heartbleed gives read access to the memory of the encryption functions of vulnerable servers, allowing attackers to steal the private keys used to encrypt data transmissions.StartPage’s vulnerability to this attack was limited, since we had implemented a more secure, upgraded form of SSL known as Perfect Forward Security (PFS) in July 2013. PFS is generally supported by most recent browser versions. Since PFS uses a different “per-session” encryption key for each data transfer, even if a site’s private SSL key is compromised, past communications are protected from retroactive decryption.

Security is a moving target, and we work hard to stay ahead of the curve. Immediately after the Heartbleed security advisory, StartPage’s encryption modules were updated and encryption certificates were changed.

In independent evaluation, StartPage and Ixquick outscore other search engines on encryption standards, earning an A+ rating. See Qualys’ SSL Labs evaluation of StartPage’s encryption features here:
https://www.ssllabs.com/ssltest/analyze.html?d=startpage.com&s=69.90.210.72

This problem is serious and needs to be addressed, but don’t panic. Secure websites that are vulnerable are working on the problem that was discovered this week.

Wait to hear from companies about whether they were vulnerable and that they have fixed the vulnerability on their secure webservers before changing any passwords.

Some good things to note, Apple and Microsoft have already notified that their services are not vulnerable. Here’s the Hit List from Mashable:

The Heartbleed Hit List: The Passwords You Need to Change Right Now – Mashable

Some big names that you might be happy to hear were not affected according to the Mashable article:

Apple, Microsoft, Amazon, eBay, PayPal, Target, Walmart, LinkedIn, Hulu, AOL email, Hotmail/MSN/Outlook.com emails and more.

All the Google servers have been updated:

You may have heard of “Heartbleed,” a flaw in OpenSSL that could allow the theft of data normally protected by SSL/TLS encryption. We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine.Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services. We regularly and proactively look for vulnerabilities like this — and encourage others to report them — so that that we can fix software flaws before they are exploited.

More in the article.

More information on Heartbleed:

EDIT: Please check the comments for some additional links that are very helpful and informative about the Bleeding Hearts Club by EFF.org, the vulnerable routers from Cisco/Juniper Networks as well as some additional VPN  and other products. And some good news about 1Password.