eBay got hacked, says financial information is safe...

Macs

Macs

Well-known member
Site Supporter
Forum Sponsor
eBay hacked, requests all users change passwords

eBay confirms users' passwords were compromised but says there's no evidence any financial information was accessed.

eBay's morning just went from bad to worse. The e-commerce site confirmed Wednesday that its corporate network was hacked and a database with users' passwords was compromised. While eBay says there is no evidence that users' financial information was accessed in the hack, the company is telling all users to change their passwords.

eBay contacted CNET after this story was initially published, saying it discovered "recently" that it was a victim of "a cyber attack on our corporate information network, which compromised a database containing eBay user passwords." The company's spokesperson told CNET there is "no evidence that any financial information was accessed or compromised."

The statement follows an odd stream of events this morning when eBay-owned PayPal posted a blog entitled "eBay, Inc. to Ask All eBay users to Change Passwords." The blog post included nothing but the title, but quickly hit the Web after it was retweeted dozens of times. The blog post was then taken down from PayPal's site, causing even more confusion for users of the online auction house.

eBay has since posted information about the hack on its official blog. The company will ask all users to change their passwords starting later on Wednesday.

eBay shares are down 1.73 percent, or 90 cents, to $51.06, following news of the hack.

The database, which eBay said was compromised in late February and early March, held eBay customer's names, encrypted passwords, email addresses, physical addresses, phone numbers, and dates of birth. However, the company says users' financial information was not accessed.

"After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats," eBay wrote in the post. "However, changing passwords is a best practice and will help enhance security for eBay users."

eBay also tried to allay concerns of PayPal users who store credit card information on the service. Although eBay owns PayPal, the online auction site says that "PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted."

eBay said it detected the hack two weeks ago and engaged in forensics activities to determine what database was compromised and what was stolen. The company narrowed down the attack to "a small number of employee login credentials" stolen by cyberattackers, which it said provided access to eBay's corporate network.

Starting later on Wednesday, eBay will use email, site updates, and "other marketing channels" to request its users change their passwords. The company also encouraged its users to change the passwords on any other sites they might use with the same log-in credentials. It even ended its blog post with a security tip: "The same password should never be used across multiple sites or accounts."

eBay's hacking should be taken seriously. The e-commerce site has 128 million active users around the world. While the company has acknowledged that it will ask ever user to change their password, eBay hasn't said how many customers might have had information stolen.
With Heartbleed wreaking havoc on the Web and an increasing number of major companies having their servers hacked and personal information leaked, Web security -- or lack thereof -- is becoming a huge concern for Web users. The eBay hack could prove to be the biggest security flaw to affect users since last year's Target data breach. That hack is believed to have impacted 110 million customersand left personal information -- including names, mailing addresses, phone numbers, email addresses, and debit and credit card data -- open to hackers.

CNET has contacted eBay for more information on the hack. We will update this story when we have more information.

http://www.cnet.com/news/ebay-hacked-requests-all-users-change-passwords/


 
These breaches are getting ridiculous. At this point, if you have an account at any of the breached sites, your login credentials are already out in the wild. The databases get posted up within hours of the breach and thousands of hackers/crackers/kiddies start harvesting the passwords. 90% are cracked within hours. They then add those passwords to existing password lists to make future cracking even easier.

At this point your passwords really need to be alphanumeric, with symbols if permitted, and alternating case. They should also be 20 or more characters if possible. Length is really the best safeguard. Everyone should have at least one spam mail account and at least 3 or 4 levels of passwords of varying complexities to use at different kinds of websites.
 
mmmnaked said:
At this point your passwords really need to be alphanumeric, with symbols if permitted, and alternating case. They should also be 20 or more characters if possible. Length is really the best safeguard. Everyone should have at least one spam mail account and at least 3 or 4 levels of passwords of varying complexities to use at different kinds of websites.
Click to expand...
i just mash the keyboard, then copy and paste.
i keep text files with the mashes.

lbkjasfvdblvefbaujjqt42unu0-v6524n8yupoq42tv;oi
 
mmmnaked said:
These breaches are getting ridiculous. At this point, if you have an account at any of the breached sites, your login credentials are already out in the wild. The databases get posted up within hours of the breach and thousands of hackers/crackers/kiddies start harvesting the passwords. 90% are cracked within hours. They then add those passwords to existing password lists to make future cracking even easier.

At this point your passwords really need to be alphanumeric, with symbols if permitted, and alternating case. They should also be 20 or more characters if possible. Length is really the best safeguard. Everyone should have at least one spam mail account and at least 3 or 4 levels of passwords of varying complexities to use at different kinds of websites.
Click to expand...

What you're talking about is brute forcing which is completely different than hacking a website btw... Which is more of a targeted hack. When it comes down to it, if a hacker (who knows what he/she is doing) wants to get access, they will get in eventually...
 
Macs said:
eBay hacked, requests all users change passwords

eBay confirms users' passwords were compromised but says there's no evidence any financial information was accessed.

eBay's morning just went from bad to worse. The e-commerce site confirmed Wednesday that its corporate network was hacked and a database with users' passwords was compromised. While eBay says there is no evidence that users' financial information was accessed in the hack, the company is telling all users to change their passwords.

eBay contacted CNET after this story was initially published, saying it discovered "recently" that it was a victim of "a cyber attack on our corporate information network, which compromised a database containing eBay user passwords." The company's spokesperson told CNET there is "no evidence that any financial information was accessed or compromised."

The statement follows an odd stream of events this morning when eBay-owned PayPal posted a blog entitled "eBay, Inc. to Ask All eBay users to Change Passwords." The blog post included nothing but the title, but quickly hit the Web after it was retweeted dozens of times. The blog post was then taken down from PayPal's site, causing even more confusion for users of the online auction house.

eBay has since posted information about the hack on its official blog. The company will ask all users to change their passwords starting later on Wednesday.

eBay shares are down 1.73 percent, or 90 cents, to $51.06, following news of the hack.

The database, which eBay said was compromised in late February and early March, held eBay customer's names, encrypted passwords, email addresses, physical addresses, phone numbers, and dates of birth. However, the company says users' financial information was not accessed.

"After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats," eBay wrote in the post. "However, changing passwords is a best practice and will help enhance security for eBay users."

eBay also tried to allay concerns of PayPal users who store credit card information on the service. Although eBay owns PayPal, the online auction site says that "PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted."

eBay said it detected the hack two weeks ago and engaged in forensics activities to determine what database was compromised and what was stolen. The company narrowed down the attack to "a small number of employee login credentials" stolen by cyberattackers, which it said provided access to eBay's corporate network.

Starting later on Wednesday, eBay will use email, site updates, and "other marketing channels" to request its users change their passwords. The company also encouraged its users to change the passwords on any other sites they might use with the same log-in credentials. It even ended its blog post with a security tip: "The same password should never be used across multiple sites or accounts."

eBay's hacking should be taken seriously. The e-commerce site has 128 million active users around the world. While the company has acknowledged that it will ask ever user to change their password, eBay hasn't said how many customers might have had information stolen.
With Heartbleed wreaking havoc on the Web and an increasing number of major companies having their servers hacked and personal information leaked, Web security -- or lack thereof -- is becoming a huge concern for Web users. The eBay hack could prove to be the biggest security flaw to affect users since last year's Target data breach. That hack is believed to have impacted 110 million customersand left personal information -- including names, mailing addresses, phone numbers, email addresses, and debit and credit card data -- open to hackers.

CNET has contacted eBay for more information on the hack. We will update this story when we have more information.

http://www.cnet.com/news/ebay-hacked-requests-all-users-change-passwords/
Click to expand...

That information can easily be used to acquire accounts (if they didn't alraedy) using "Lost Password?". That being said, "financial information was not accessed", who doesn't link their credit card/debit card/paypal to their e-bay account. Very skeptical here...

Also, people have their ebay accounts compromised everyday by hackers, so "no evidence of the compromise resulting in unauthorized activity", lies!
 
PLau said:
That information can easily be used to acquire accounts (if they didn't alraedy) using "Lost Password?". That being said, "financial information was not accessed", who doesn't link their credit card/debit card/paypal to their e-bay account. Very skeptical here...

Also, people have their ebay accounts compromised everyday by hackers, so "no evidence of the compromise resulting in unauthorized activity", lies!
Click to expand...

I don't link them, specifically cause this might happen

Sent from my Nexus 5 using Tapatalk
 
Macs said:
I don't link them, specifically cause this might happen

Sent from my Nexus 5 using Tapatalk
Click to expand...

1 of every few hundred thousand people don't (probably) :P

10x worse for people who use the same password for everything....
 
PLau said:
What you're talking about is brute forcing which is completely different than hacking a website btw... Which is more of a targeted hack. When it comes down to it, if a hacker (who knows what he/she is doing) wants to get access, they will get in eventually...
Click to expand...

What I'm talking about is hackers downloading user credential databases and cracking the hashed passwords. This gives them login info for all the users on the site which they can then try on other sites as well. That's usually the purpose of such activity.
 
mmmnaked said:
What I'm talking about is hackers downloading user credential databases and cracking the hashed passwords. This gives them login info for all the users on the site which they can then try on other sites as well. That's usually the purpose of such activity.
Click to expand...

Or to troll....

Username/Password lists are all over the internet, mostly unlisted in google. You just have to know where to look.

If a hacker wanted to, they can create a forum like GTAM, have all the user logins and access to the db with hashed pws as well.... Cracking those passwords would take more time than its worth in hopes that it works for another site.
 
Take more time than its worth? yeah, in 1999.

Read this: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

The sweet stuff:

In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do.

Imagine no more. We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered.

The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function. Security-conscious websites never store passwords in plaintext. Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hash—for instance, they must guess that "5f4dcc3b5aa765d61d8327deb882cf99" and "7c6a180b36896a0a8c02787eeafb0e4c" are the MD5 hashes for "password" and "password1" respectively. (For more details on password hashing, see the earlier Ars feature "Why passwords have never been weaker—and crackers have never been stronger.")

While Anderson's 47-percent success rate is impressive, it's miniscule when compared to what real crackers can do, as Anderson himself made clear. To prove the point, we gave them the same list and watched over their shoulders as they tore it to shreds. To put it mildly, they didn't disappoint. Even the least successful cracker of our trio—who used the least amount of hardware, devoted only one hour, used a tiny word list, and conducted an interview throughout the process—was able to decipher 62 percent of the passwords. Our top cracker snagged 90 percent of them.

The Ars password team included a developer of cracking software, a security consultant, and an anonymous cracker. The most thorough of the three cracks was carried out by Jeremi Gosney, a password expert with Stricture Consulting Group. Using a commodity computer with a single AMD Radeon 7970 graphics card, it took him 20 hours to crack 14,734 of the hashes, a 90-percent success rate. Jens Steube, the lead developer behind oclHashcat-plus, achieved impressive results as well. (oclHashcat-plus is the freely available password-cracking software both Anderson and all crackers in this article used.) Steube unscrambled 13,486 hashes (82 percent) in a little more than one hour, using a slightly more powerful machine that contained two AMD Radeon 6990 graphics cards. A third cracker who goes by the moniker radix deciphered 62 percent of the hashes using a computer with a single 7970 card—also in about one hour. And he probably would have cracked more had he not been peppered with questions throughout the exercise.
Click to expand...

The least successful guy deciphered 62% of the passwords in one hour, while conducting an interview. 90% were cracked after 20 hours, of course all automated without actual human involvement beyond starting the process. All this with a single computer and a single GPU.

Accomplished crackers will use multiple GPUs with massive amounts of processing capacity.
 
so using the last 4 digits of my phone as a pin number and my street address as a password is no longer enough???
 
crankcall said:
so using the last 4 digits of my phone as a pin number and my street address as a password is no longer enough???
Click to expand...

1234, 000 or "password" is what you wanna use
 
vrus said:
http://xkcd.com/936/
Click to expand...

I agree, except for the 'we trained people' part. Often you don't have a choice as a webside/service requires you to make up this god awful mixture of numbers/letters/caps/punctuation that is no more than 12 chars in length, and will reject any password containing a dictionary word in it.
 
moosh009 said:
I agree, except for the 'we trained people' part. Often you don't have a choice as a webside/service requires you to make up this god awful mixture of numbers/letters/caps/punctuation that is no more than 12 chars in length, and will reject any password containing a dictionary word in it.
Click to expand...

That is exactly what the "we trained people" bit is referring to. The people who develop those websites are still people.
 
Ahaa .. .that's why they required password resets earlier this week and basically stated that as part of due diligence I need to change my pwd ... LOL .... liars.
Forum Sponsor
 
You must log in or register to reply here.
Back
Top Bottom