eBay Demonstrates How Not To Handle Being Hacked

eBay has been hacked. All of its 145 million users need to change their passwords. But eBay apparently doesn't think that's worth mentioning anywhere on its home page.

Picture: Getty Images

As security expert Graham Cluley points out, eBay has not placed a link announcing its security breach anywhere on its home page. It hasn't yet sent emails to notify users, it doesn't force you to change your password when you log in, and it doesn't offer any easy instructions on how to change your password (we've got you covered there). A company that has been hacked should do all those things, rather than trying to pretend it didn't happen.

The lesson here? eBay is setting a disgraceful example. Don't emulate it. Hacking attacks can't always be avoided, but stupidity can be.

Why is eBay burying news of its security breach from its millions of web visitors? [Graham Cluley]


    I received a very important alert on login. Ebay now lets me purchase and print postage. I've seen this alert before, but I'm assuming until I actually do it, or they get bored, I'll keep seeing it!

    also a note if you where lazy like me and had the same password for paypal or your email account then keep in mind the hack gained access to emails as well. I started using lastpass a couple of weeks ago and just hadn't gotten around to eBay and Paypall until this morning ...

      Problem with separate passwords for Ebay and for Paypal.
      When I buy from Ebay or any other seller, the seller often gets my Paypal email address when I pay.
      If that seller pesters me for more business, I have to change my Paypal address to block him/her.
      Thankfully it has happened only once so far.
      I use mailnull.com to make up new email addresses but it is still a pesky chore.

    Because eBay are arseholes and dont care about anything other than money, if they tell people that means a few might be scared away and not spend money.
    They could care less that your account might have been hacked.

    It was surprisingly difficult to find *where* to actually change my password in eBay. I had to search the help section, and follow a link from there.

      Same here - I went through about 10 different menus before finding it.

        Cameron, Kai

        It's not that hard - under account settings as with 99% of other websites

          The word password appears nowhere on the 'account settings' page. The teeny password editing link is actually one of ten links entitled 'edit' way over on the right of the 'personal information' page.

      Interestingly, if you have an account on ebay.com (as distinct from ebay.com.au) you are greeted by a huge banner encouraging you to change your password.

      The process is much easier than digging through submenus, and involves a link back through your email address (probably improving the security aspects of the change).

    I'm confused, if eBay crypto-hashed & salted the passwords, then my password hash is pretty useless unless the hackers are planning on reversing the hashes?

    Realistically they wanted the other details I'd say, not the passwords.

      They got them too, your date of birth, address, etc. etc.

        I'll just go and change those too... oh... umm... Thanks Ebay.

    Should I get a password program like lastpast if I use keychain?
    Thanks in advance.

    Easy to change. It was pretty obvious when I logged into my account.

    Thank you for your help.
    I tried to do a pass word reset in EBay au & 2nd page after my original password went to eBay Germany & in German Language. I tried it 3 times in a new browser after closing the German one down & same story. BIG HELP THAT WAS, YEAH RIGHT!!!
    Than I saw on your forums about EBay .com & went there instead.
    & Presto, no great dramas. Pass word reset in 3 steps.
    Thank you, Alex

Join the discussion!

Trending Stories Right Now