eBay publish “Important Password Update” message
eBay have posted a message signed off by Devin Wenig, President, eBay Marketplaces asking users to change their passwords. The message is linked from the eBay home page or can be found at aff_link("http://www.ebay.co.uk/reset","eBay.co.uk/reset","","UK"); ?>.
Changing your password on eBay Mobile Apps
What the message doesn’t tell you is how to reset your password if you’re using an eBay mobile app. The answer is that you can’t. If you’re a mobile app user you will need to log onto a browser and the main eBay site to change your password.
We know there are millions of eBay mobile app users and suspect that many of them have never visited the main eBay site but instead purely relied on their mobile device for eBay shopping. That may be even more true in countries other than the UK.
Hearts and Minds
What’s missing in the message is the word “Sorry”, or any advice on steps you can take to protect yourself from identity fraud. Personally I’m not that bothered – the information snatched from eBay is pretty easy to come by anyway if you know where to look on the net (for instance apart from your date of birth many UK business sellers publish the other information – address, email, phone number etc – on every eBay listing). That won’t be true for many however who will listening to the scaremongering about their bank accounts being raided or receive a phishing email which suddenly seems much more sinister than the one they received last month or last year.
eBay need to send a strong message to buyers that eBay is a safe place to do business, and the “Important Password Update” message is a good start. Here at Tamebay we look forward to the battle of hearts and minds which in some ways is far more important than the security breach itself. The press are on one side (eBay security breach is a great big juicy story that will run and run), eBay are on the other. eBay need to win the war.
Here’s the full text of the message from Devin:
Important Password Update
Keeping Our Buyers and Sellers Safe and Secure on eBay
On Wednesday, we announced that we are asking all eBay users to change their password. This is because of a cyberattack that compromised our eBay user database, which contained your encrypted password.
Because your password is encrypted (even we don’t know what it is), we believe your eBay account is secure. But we don’t want to take any chances. We take security on eBay very seriously, and we want to ensure that you feel safe and secure buying and selling on eBay. So we think it’s the right thing to do to have you change your password. And we want to remind you that it’s a good idea to always use different passwords for different sites and accounts. If you used your eBay password on other sites, we are encouraging you to change those passwords, too.
Here’s what we recommend you do the next time you visit eBay:
1) Take a moment to change your password. You can do this in the “My eBay” section under account settings. This will help further protect you; it’s always a good practice to periodically update your password. Millions of eBay users already have updated their passwords.
2) Remember to always use different passwords on different sites and accounts. So if you haven’t done this yet, take the time to do so.
Meanwhile, our team is committed to making eBay as safe and secure as possible. So we are looking at other ways to strengthen security on eBay. In the coming days and weeks we may be introducing new security features. We’ll keep you updated as we do.
Thanks for your support and cooperation. eBay is your marketplace, and we are committed to keeping it one of the world’s safest places to buy and sell.
President, eBay Marketplaces
There is no “account settings” in my Ebay maybe they should try & get it right under account & personal information, password & edit unless I am a complete idiot. Come on Ebay stop taking my fees for nothing !!!
Not had a single email from eBay about this, I joined eBay in 2004.
It’s nice to be appreciated.
Mind you, I have lots of defects.
You are one of the reasons I read tamebay! Your comments are always very entertaining and thoughtful
Sky News has just tweeted this:
Reuters: New York’s Attorney General asks eBay to provide free credit monitoring for all 145 million users following a security breach
ebay are even dumber than I thought they were.
Message on the website is not much use to the people who don’t visit often – these are exactly the kind of members who are most vulnerable.
What’s wrong with an email?
as ebay are hacked could you trust an email directing you to enter or change your password ???..
The email does not need to contain any links, just an instruction to log in and change password – so yes, it can be trusted.
so what about the one could be a scam that does contain a link? ebay would then get the blame for that too,
there damned if they dont , damned if they do, nothing serious has actually happened other than a PR disaster for ebay its all hypothetical so far
I have not received the mentioned message from eBay! although I have been an eBay seller for fourteen years.
In my opinion there if a huge flaw in the ‘security’ advice offered concerning passwords.
We are advised to have different passwords for every application, clever involved complicated passwords (I have about thirty to consider) for banking, shopping, messaging, surfing etc – but choose ones we can remember but never write down. How is this possible for us mere humans?
I always ask how to do this but they can never advise on or commit themselves on this. How on earth can we avoid writing down passwords until ‘they’ come up with some way of remembering them?
Hi Brian. The simple answer is its not really possible without software. I use lastpass.com for my company. Very cheap and makes life so much easier. Works on computers and mobile app meaning the only password you actually have to remember is the one for lastpass. It also generates secure passwords for you. There is also a free version if you dont need your passwords on mobile.
Hope this helps
as usual the biggest problem seems to be ebays disdain and arrogant attitude towards its members
EBAYS PHONE SUPPORT WAS ENGAGED ALL DAY YESTERDAY. I KNOW WHY. THERE ARE 2 REASONS WHICH ARE STILL NOT RESOLVED. The eBay rep I spoke to on the phone could not understand why the system was rejecting my current password but after spending ages changing my 9 passwords I eventually figured out myself that the problem occurs if you have a password over 20 characters long. Because eBay now no longer allow more than 20 characters you can’t change your password using your current password because eBay’s system will not accept your current password as a valid password. You have to use the I forgot my password link. The other problem I encountered was trying to get a STRONG password. I used 5 random numbers 5 random upper & 5 lower case letters & 5 SYMBOLS & could only get a medium password. After phoning eBay again I was told to just use a medium password but I insisted that this was not acceptable. I did not want to spend time changing 9 passwords if they were only going to be medium. After repeating myself at least 5 times insisting I wanted a strong password I was eventually told to make sure I used the @ symbol at the start then a number & at least one upper & one lower case letter. It worked fine then. I now have a strong password that only has 7 characters instead of 24. On the change password page it says to use at least 2 of the following…one upper one lower case letter, numbers or symbols when in reality you only get a strong password if you use all 4 options & start with a @ symbol. Why Oh Why cant eBay update their website with this information & save their customers the hassle of finding out by themselves by trial & error? I can update my site in 30 seconds.
Great for hackers to know that they should try to guess seven character passwords as six letter passwords prefaced with “@”. Cuts the processing time down enormously to know what the first character is likely to be for a strong password!
Chris, It’s eBay’s password system that creates the confusion. for instance H5gY7t3E24dgKpVjdvAz according to eBay is only a medium strength password. But @7YkOi9 is strong. How they work that out is beyond me but that is what I was told by the rep during a 30 minute conversation. I was put on hold 3 times while she got me this info. If I had not insisted I did not want a medium password I would never have found out. Anyhow you can use 20 characters if you like. Doesn’t have to be 7.
When I checked these example passwords on the Microsoft password checker I get the opposite result!
In other words the longer pseudo random password was rated strong and the shorter one was only rated medium which is what I would have expected.
The use of additional printable ASCII characters does improve the password protection (keyboard and system can limit this of course) but it still better to use over 12 characters if you can.
My view is that you have got bad advice from eBay and I would strongly recommend you use at least 15 characters including upper, lower case letters, numbers & a selection of permitted ASCII characters allowed by the eBay system (not aware of its limitations).
So the use of a password like @7YkOi9 should be avoided – it must be longer!
What’s the point in having a strong password on eBay anyway. The hackers have now stolen all the ‘encrypted’ passwords under ebay’s protection. The passwords may have been strong, week or medium. It made no difference. ebay have allowed them all to be taken.
What’s the point of ebay advising customers to use strong passwords if they then pass them on in bulk to the hackers?
……….. along with your (not encrypted) full name, date of birth, address, telephone number, and more.
– The fail to “encrypt” ALL user information is inexcusable.
– eBay should not be storing passwords. To have stored “encrypted” passwords when a one way password hash and per id salt could have been used is even worse. To be fair there is some confusion in this area, eBay mention in most press releases that passwords were encrypted (generally useless) but in a post by one of their staff made on Twitter they referred to Hash and Salt protection (better as long as they used a unique salt value per user, which thus far they have not responded to questions on).
– To have a system where an external person ( or staff member) could steal a copy of a large portion of the xxx million user database without immediate alarm and protection systems intervening beggars belied.
The eBay user database is (was) one of the few “crown jewels” of global identity theft targets. Events and reports thus far seem to suggest that it didn’t have appropriate protection.
The failure to professionally encrypt and then securely manipulate and store customer information is totally inexcusable!
But I suppose they have been working so very hard on just trying to get ‘search’ and ‘best match’ to work along with all those wizzy new ideas from the great Hoe and his team of ex consultants & MBAs that they just plain forgot about it.
Oh dear – I feel a class action sueball is due any time soon.
Please remember that those like myself have to remember the Password. We are always being advised that we should not use the same password for everything and that we should not write it down.
So for those of us like myself how are we supposed to remember it?
In my case in the past I have used a combination of a Number that means something to me(usually a Railway Locomotive) and a word that means something to me. But reading all the various postings it looks as if to have a ‘strong’ password I have to have a long meaningless jumble of numbers and letters that mean absolutely nothing to anybody(probably what makes it so strong) including myself.
So if the password does get so complicated it gets inevitable that I have to write it down somewhere. Then when I get it wrong(as I inevitably will do) I can go back over it trying to find where the error is. In my case with a small account is it really that important that I have a password that is ‘strong’ or one that I can remember because it means something to me?
I don’t know perhaps somebody can advise????
You have three choices:
1. take an ‘improve your memory’ self help course and also eat more vegetables and fruit.
2. use a password manager application that will generate strong passwords for all your accounts and you have to only remember one longer password
3. write the bloody thing down but keep it safe somewhere near the workstation or in a locked draw nearby
In your case option 3 is the only viable way forward given your issues and there is nothing wrong with writing it down as long as you keep it safe.
And yes you can use a long passphrase based on something you can remember (iamnotacornishwrecker666) but you need to mix up the upper & lowercase characters/numbers and substitute 3 for an E and 0 for an O for example etc.
Google is your friend here with lots of clever examples of how to do this if a long pseudo random password is too difficult for you to remember.
our address and telephone number is easily available to anyone on ebay anyhow they dont need to hack it
Due to all the emails going backwards & forwards re Password Resetting I haven’t received any Saved Searches emails for 2 days – eBay chat line informed me today that:
I understand the importance of receiving saved search notification, let me tell you proactively that we have temporarily stop sending notifications. As there are lots of members trying to reset password, we wanted to make sure first that members do receives email notifications about passwords.
I informed them it would be a good idea to let members know on the Announcement Board!!
Re; “What’s missing in the message is the word “Sorry”.
Honestly, what do we expect??…. The day ebay accept they are at fault for anything, will be the day we all look into the sky, in amazement, as there it will be the illusive flying Pig…..
Pretty shoddy PR, ebay, first you piss off all your sellers, now you piss off all the buyers…..,
So now my easily remembered password is not longer valid, I’m being forced to use one with caps, symbols, numbers, etc. One that I will never remember. So what do I do? I write it down, making it far more vulnerable to theft. But hey–that’s not eBay’s problem, right? Way to pass the buck.
Early this morning received emails in our inbox from ebay requesting password change…Better last than never, as they say!!
I presume the emails have all gone out now, as “favourite search” messages are arriving again from eBay this morning.
These things happen in the modern world, its just part of life. Look at Sony and their Playstation fiasco a few years back. At least ebay got the message out though some controlled and uncontrolled media. I saw it on watchdog and changed the email. I know its easy to bash ebay on many things (including the August changes which I find extreme), but on this occasion I think they did the right thing.