You have likely seen the news that eBay was compromised and disclosed on Wednesday the 21st, resulting in as many as 145 million customers being affected. eBay was quick to state that the criminals did not gain access to financial information, trying to allay customer concerns. Despite that, there are many aspects of the aftermath that concern people. Andy Greenberg at Wired and Madeline Bennett at The Inquirer are just two of many to write articles on “how not to handle a security breach”.
It didn’t take long for several US Attorney Generals and one official in the UK to start or express interest in a formal investigation. I think it is warranted given the slow response from eBay and given that there are no details about the incident available from the company. It took them several days to finally add a banner to their site warning users to change their password.
What is disturbing is that four days later, I have not received an email from eBay warning me of this breach, while still receiving notices of random auctions ending that I am not watching. Getting notice of a breach for several days via the news, and not the company is bad form. In a comment made to BBC on Friday, the 23rd, eBay said:
EBay told the BBC that it was not aware of any technical problems with the password reset function on the site.
“The site is busy, but our secure password reset tool is working,” a spokesman said.
This caught my eye today as I read it just hours after seeing a Tweet from Kenn White in which he shows how ‘secure’ the password reset feature is:
Between the lack of response, slow action to get a visible password reset warning, not mandating that users change passwords, and not understanding what good password security is, I think it is time for the FTC to step in. Companies must be held accountable for the security of their customers.
Update #1: I received my breach notification letter and request to change password an hour ago, almost eight hours after posting this blog, four days after it hit the news.
Update #2: @miaubiz points out that the actual breach happened between late February and early March, leading to questions on why it took them so long to disclose.