It is in the news.

Google it.

They are suggesting everyone change their passwords.

jtk

This a good reminder not to use the same password/username combo at multiple sites, at least not multiple sites you care about. If a hacker now knows joesmith123@example.com uses password3456 at ebay, you can bet that combo's going to end up in their automated tools for other hacking attempts.

Just got it changed over. Never is more than a few dollars in it, anyway. Password doesn't match any others I have, either the old one, or the new one.

PayPal too?

Gonna do it any way.

Edit: Just skimmed the article, says PayPal not affected, but better safe than sorry.

It is in the news.

Google it.

They are suggesting everyone change their passwords.

jtk
Thanks Jim, but isn't it already way too late? "hackers managed to slip into one of its databases months ago"

If the hackers were in months ago, why are we just finding out now? Talking about driving while looking out the rear-view window. So STUPID.

It would be news if this came out months ago or if Ebay said, hey, don't worry - we got you covered. Its like we should just assume that each and every one of these on-line sites are vulnerable, they will get hacked, they will expose our personal info to the hackers, etc, etc, etc. One ultrta-secure password for each site, changed frequently. How are we ever going to remember all this?

One ultrta-secure password for each site, changed frequently. How are we ever going to remember all this?

Password managers are perhaps the easiest, and perhaps, best way, to do this, if you can keep the root password or managing devices secure. Two-factor authentication is good too - my bank, for example, if I log in from an unrecognized device or location, after entering my password, I get a text message to my phone with another password to enter. This makes a less-than-ideal password harder to get around.

The worst is that so many places force you short passwords with alphanumerics. It's much easier to remember a long phrase that's harder for a computer to guess than a random string of say, 12 characters.

+1

I happen to use Password Gorilla because I can share the DB across devices and platforms using dropbox. However there are many good secure password managers both free and paid.

Also, get in the habit of updating passwords often. I change my passwords every 90 days or so for any site that has any sort of payment information. Any stolen password is worthless in 90 day or less.

A few precautions upfront can make a big difference.


Password managers are perhaps the easiest, and perhaps, best way, to do this, if you can keep the root password or managing devices secure. Two-factor authentication is good too - my bank, for example, if I log in from an unrecognized device or location, after entering my password, I get a text message to my phone with another password to enter. This makes a less-than-ideal password harder to get around.

The worst is that so many places force you short passwords with alphanumerics. It's much easier to remember a long phrase that's harder for a computer to guess than a random string of say, 12 characters.

Don't forget to change the password for automated bidding sites if you use them, they use the ebay password to place your bids. Wouldn't want to miss out on that long sought after whats-it.

I'd consider it a bigger problem if you use your password elsewhere (including paypal). But even then, if someone uses your paypal account, you'll get an email notifying you that they're sending or receiving money. If someone uses your ebay account, same thing. If they change your password and don't know how to get to your email address to delete emails, you'll get an email notifying you that your password was changed, etc. It's not like someone will use the account for a million things, you'll never know, and you'll be a million in the hole.

But if your bank account password is the same, you might have more trouble to deal with!

I'd bet that the usefulness of this hack (to the hackers) will be more for trying the login and password on other sites, and then eventually using old abandoned accounts temporarily to sell things. Maybe ebay has mitigated that, but IIRC, 5 or more years ago, they had a problem with dormant accounts being hacked and then used for fraudulent sales where yours or my dormant account with 100 positive feedbacks would be used to sell something that was never going to be delivered. All of their arcane controls with paypal and such (limiting how you can get money out of it, etc) have really cut back on that, leaving the scamsters to no-sell estate tractors, backhoes and skid steers on craigslist, I guess.

Password managers are perhaps the easiest, and perhaps, best way, to do this, if you can keep the root password or managing devices secure. Two-factor authentication is good too - my bank, for example, if I log in from an unrecognized device or location, after entering my password, I get a text message to my phone with another password to enter. This makes a less-than-ideal password harder to get around.

The worst is that so many places force you short passwords with alphanumerics. It's much easier to remember a long phrase that's harder for a computer to guess than a random string of say, 12 characters.

Amen to that!! I presume short password requirements are a vestige of times when server capacity was expensive & limited and cracking less lucrative. I use a couple password strength checkers just for grins. They're not perfect by any means but I think they're instructive.

From Intel:

https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html

Another:

http://password-checker.online-domain-tools.com/

It's easier to remember something like One-Pets-Name&+some*childs_nickname than it is to remember A4z6ykzI7. Change, add, or leave out a few letters to make a dictionary attack less successful and sprinkle a few random numbers in.

I'd bet that the usefulness of this hack (to the hackers) will be more for trying the login and password on other sites, and then eventually using old abandoned accounts temporarily to sell things.

In one of the reports I read it said the stolen passwords were encrypted. Not knowing if the hackers could decrypt them was unknown. Just for good measure it was felt the best move was for everyone to change their passwords.

jtk

We were told for a while that the information that was stolen for target users was encrypted, etc. I wouldn't trust ebay to tell us the whole story on the first try, just based on experience from prior breaches with other companies. I think, my opinion, that there is a PR strategy to release bad news in phases because it's perceived as less bad and you can wait and see if the story blows over before you release the most gory of details.

I don't know that's true, or know that there's more to the ebay breach than what's been released, I just personally operate as if it is and try to anticipate what all of the details might be vs. what's been released.

It's easier to remember something like One-Pets-Name&+some*childs_nickname than it is to remember A4z6ykzI7. Change, add, or leave out a few letters to make a dictionary attack less successful and sprinkle a few random numbers in.

It is also easy to remember the first letter of the first 10 words of a famous speech. Use a date for the numbers but shift some of them so the become special characters.

My former employer changed the payroll and time keeping system. It required everyone to have a password and change it every 4 weeks. For some reason the People Soft software would not take the new passwords of half the people trying to change them. It would also lock people out if they hadn't changed their password soon enough.

It may have saved accounting a bit of the trouble of printing out and delivering checks. It sure caused a hassle with the computer support group and every other work group while people were trying to get their payroll information out of the few computers in some work areas.

After a month or so of this they changed it to changing passwords twice a year. I retired before having to change my password again.

One group saved $50,000 a year. Bonuses all around!

The combined loss of labor hours fighting the system likely cost 10 times that much. Of course those people are all slackers.

I am sure someone got rewarded highly for the new system.

jtk

I retired before having to change my password again.

One group saved $50,000 a year. Bonuses all around!

Maybe they should have gotten rid of you sooner, Jim ;)

I haven't worried about it too much. Ebay didn't notify people to change their passwords, and I see little chance of problems if someone did get my password. It won't lead them to my Paypal account money.

Famous last words...

I haven't worried about it too much. Ebay didn't notify people to change their passwords, and I see little chance of problems if someone did get my password. It won't lead them to my Paypal account money.

Got an email this morning, eBay is requiring user's to change their password.

Three months and the avatar still makes me laugh.

I got the email from Ebay yesterday, but I haven't been able to get in and change my password yet because either the site is so busy with password changes or maybe my WiFi at 1-2 bars while up north is just too slow. When I get home I will change all my passwords. I am considering using Comcast's Constant Guard password manager, but what happens if they get hacked and now someone has ALL of my passwords? I have probably a dozen or more sites needing passwords. No way could I remember a different one for each site, let alone change them out at a regular frequency. So I am considering one password with a minor prefix or suffix variation that will be site specific. Or not, now that you all know my scheme...

I got the email from Ebay yesterday, but I haven't been able to get in and change my password yet because either the site is so busy with password changes or maybe my WiFi at 1-2 bars while up north is just too slow. When I get home I will change all my passwords. I am considering using Comcast's Constant Guard password manager, but what happens if they get hacked and now someone has ALL of my passwords? I have probably a dozen or more sites needing passwords. No way could I remember a different one for each site, let alone change them out at a regular frequency. So I am considering one password with a minor prefix or suffix variation that will be site specific. Or not, now that you all know my scheme...


Ya have to select a question and provide an answer at the bottom of the reset password screen. Not sure if ya are, but that was messing me up.

Guys, dig into this a little deeper, it has nothing to do with resetting your password. They are encrypted and pretty safe, the underlying story that's not being reported on non-tech sites is that they DID get all your information. So everything in your profile, your name, address, telephone number and anything else you have in there WAS compromised and stolen. Just be on your toes for phone calls, emails, and snail mail scams for a while now. Surely they won't mention ebay, they'll use your info to see if they can scam you in whatever way they plan on using it.

My email address, mailing address, and phone number are all available from numerous sources so not too worried about that. Yes, having all three in one place could be an issue, but I'm pretty certain I'm smart enough not to fall for any scams if I got contacted. Of course, if even 1% fall for a scam someone will make a lot of money on scams.

I've been receiving phishing emails lately that has my full name on it instead of "dear customer",these emails are from Apple,Paypal,Skype.they look very legit ,I wonder if it has anything to do with the security breach at ebay.

For what it's worth, some years ago, PayPal did have a breach and they handled it really well. As I recall, they put out an email very quickly to all affected. They accepted responsibility for the system weakness. They announced that the FBI was already involved. They announced that they had hired away the chief of security for the Federal Reserve interbank switch (the network they use to move money from bank to bank). I remember thinking at the time that, next to not having the breach, they handled it in the best possible way.

In any case, I remember being very impressed.