eBay reputation tarnished by breach response

eBay has been criticised for a lack of concise communication and poor security advice just 24 hours after the ecommerce giant disclosed that it had suffered a massive data breach.

eBay reputation tarnished by breach response
eBay reputation tarnished by breach response

Ever since the firm confirmed the news on Wednesday, it has urged its 145 million users to change their passwords.

To do this, users must visit www.ebay.com and go to account settings, account information and then click ‘edit' next to the obscured password. Users can then choose to create a new password by receiving a link to the log-in page by email or SMS.

Despite this appearing to be a simple process, the company's remediation efforts have been criticised for being ineffective, slow and for lacking adequate information.

The San Jose based group said that it had identified the breach in early May - months after the intrusion in late February and early March (this response time is not dissimilar to other companies, according to Trustwave's latest Global Security Report) – while the security advisory it posted on Wednesday is five steps removed from account holders, and not instantly viewable when users visit the home page or log into their account.

The company admits that it is still to send out advisory emails and marketing communications, raising the prospect that affected customers could be targeted by opportunistic phishing emails.

We are in the process of notifying all eBay users and asking them to change their password through email, site and other marketing communications channels,” reads the company's statement.

Andrew Rose, analyst at Forrester and a former CISO in the legal sector, was surprised at how eBay has handled the breach, and most notably on the firm's lack of communication and choice not to enforce automatic password changes.

“It's disappointing that eBay have not yet enforced password changes. Placing a warning on the webpage is a poor attempt as many customers access eBay via mobile apps which go straight to content and bypass any webpage based messages,” he told SCMagazineUK.com.

“I'm surprised that eBay haven't have sent out communications via email, or even via the in-app messaging systems which would be ideal for this. I simply don't understand the reason for the delay. Users are learning of eBay's advice via social media, and news websites, not from the firm themselves - that's bad PR. Overall, communications have been poor.” 

Rose, like many others in the industry, also questioned eBay's detection time – some two months. “We know when the attack took place, but we are not clear when the breach was detected - the latency here is critical if eBay are serious about their claim of prioritising the protection of their customer data.”

AppRiver senior security analyst Fred Touchette concurred with Rose that communication has been poor from the ecommerce company.

“People have been touching on the way eBay has gone about notifying its users. Utilising email notification to some users and then opting for just a posting seems a little less than the effort I would expect from a company that brokers online purchases.” 

“The whole idea with brokerage is safety in the purchase. I personally am a user of eBay and PayPal, especially this past week/month, and have been on eBay and have used PayPal coincidentally several times and I have never once received any sort of notification from either of these entities which worries me. I learned from the media and took it upon myself to change my passwords.” 

Troy Hunt, a security expert and Microsoft MVP, meanwhile expressed surprise at eBay's ineffective security measures for resetting passwords.

Writing on a recent blog post, he said that he was unable to copy strong, random passwords from his favourite password manager (such as 1Password or LastPass), and added that white spaces are also not allowed when manually typing the new passwords. Furthermore, seemingly complex passwords containing 20 random characters with multiple numbers, symbols and upper case characters are judged only as “medium” strength.

Strangely, eBay's Australian website recommends ‘bestjetpilot' as a good password and yet this example is invalid as it doesn't contain enough characters.

“Overall [it's] just a very bizarre combination of rules and approaches that simply don't add up,” Hunt told SC.

Dr Guy Bunker, cyber security expert at Clearswift and spokesperson for the Jericho Forum, agreed that the process of changing your password is not as easy as it should be.

“Passwords are the bane of many people's existence and while eBay recommends it is changed on a regular basis, the actual change process is not simple,” he said when speaking to SC, adding the need for good feedback when changing passwords.

“eBay needs to make is as simple as possible and as rigorous as possible – this means they need to update their application. They are doing this anyway to ‘force' people to change their password when they log in. Putting the ‘rules' on the page and providing indicators alongside the simple red / green indicator. 

“They also need to ensure that there is enough server/application capacity for the changes to occur, otherwise there will be increased frustration from the users... and at this point that would make their already tarnished reputation even worse.”