eBay hack handling slammed as stolen data allegedly hawked

eBay has been slammed by security experts for how it handled notifying users of recent account hacks, with the auction site's decision to send out password change emails criticized for being far too similar to how phishing exploits work. The site recommended that all users change their login credentials after discovering that hackers had raided their databases in mid-Q1, but the method by which it did so may not have been the safest.

eBay opted to fire out a mass email blast to all registered users of the service, advising them of the hack and recommending that they log in and change their password – as well as with any other service using the same password and email pair.

However, security experts point out, emails in the aftermath of a hack can often be the handiwork of phishing scammers, hoping to capitalize on account confusion by directing users to fake account recovery pages. Instead of resetting their password, they inadvertently hand over their details.

Better, it's suggested, would have been to do a sweeping reset of passwords and then simply notify users that the next time they visited eBay and tried to log in, they'd have to go through that process first.

That's just what eBay has subsequently decided to do, a new FAQ about the hack confirms. The company maintains that it has seen no evidence of unauthorized access as a result of the hack, which saw account details but not payment information stolen.

"We are asking all eBay customers to change their password the next time they log into their eBay account. We are making this decision out of an abundance of caution" eBay

There are already unconfirmed signals that some of the data could be filtering out for those willing to pay for it, however. A database dump of over 145m unique records is being offered around for 1.453 BTC (approximately $750), with a sample set of over 12k records from the APAC region said to prove validity.

SOURCE eBay; Hacker News