eBay slammed for daft post-hack password swap advice

'bestjetpilot' NOT good option, no matter what it tells you


eBay has been criticised for its advice to consumers on choosing a strong password in the wake of a megabreach that prompted it to tell millions of users to change their passwords.

The online tat bazaar admitted on Wednesday that a database containing "eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth” was accessed by as-yet unidentified hackers.

Cybercrooks broke in between late February and early March after compromising employee log-in credentials, "allowing unauthorized access to eBay's corporate network". Financial information was not exposed by the breach but eBay is advising its estimated 150 million active users to change their passwords anyway, as a precaution.

Software developer and blogger Troy Hunt discovered that a password with 20 random chars with at least four lowercase, four uppercase, four numbers and four symbols was rated only as "medium strength" by eBay's password strength tool. So is the auction house nudging its users to choose fiendishly difficult login credentials? Actually, no.

Examples of what constitutes a "good, secure password" cited by eBay include $uperman1963 (or other combinations of at least 6 to 8 letters, numbers, and special characters) and multiple words without spaces, such as "bestjetpilot".

"bestjetpilot" is really not a good password so it's just as well that, as Hunt discovered, attempts to change passwords to “bestjetpilot” are rejected as invalid.

eBay sensibly points out that users should avoid normal dictionary word like "kangaroo" but the "dictionary" passwords sniffed out by hackers, which is the issue at hand, contain "words" such as 123456 and perhaps “bestjetpilot” that don't appear in the OED, so its thinking here is flawed. The faulty guidance about “bestjetpilot” as a good password appears on the ebay.com.au domain’s password page – but doesn’t appear on the .com or .co.uk pages, as Hunt points out.

Even so, "eBay has some work to do with how it communicates and implements passwords", Hunt concludes.

Advising on what is - and what isn't - a strong password is perhaps trickier than it might seem. For example, the World Password Day website ‬featured a password strength meter that rated “password123456” as strong.

It obviously isn't.

We understand that the tool recognised the combination of letters and numbers as being “strong” and a deliberate decision was taken not to connect it to an extensive dictionary database in order to keep code on the site simple.

Getting people to change their eBay passwords may be trickier than it seems. A recent online survey of 268,000 consumers by anti-virus firm Avast shows that nine out of ten people intended to change their passwords after Heartbleed, but only 40 per cent actually took action. ®

Similar topics


Other stories you might like

  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Millions of people's info stolen from MGM Resorts dumped on Telegram for free
    Meanwhile, Twitter coughs up $150m after using account security contact details for advertising

    Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

    The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.

    The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

    Continue reading
  • Coca-Cola probes pro-Kremlin gang's claims of 161GB data theft
    Life tastes not so good right now

    Coca-Cola confirmed it's probing a possible network intrusion after the Stormous cybercrime gang claimed it stole 161GB of data from the beverage giant.

    "We are aware of this matter and are investigating to determine the validity of the claim," Coca-Cola communications global vice president Scott Leith told The Register on Tuesday. "We are coordinating with law enforcement."

    The ransomware gang, which has declared its support for the Russian government's illegal invasion of Ukraine, this week bragged it "hacked some of the company's servers and passed a large amount of data inside them without their knowledge." It's now trying to sell the stolen data for about $64,000, or nearest offer "depending on the amount of data you want," Stormous wrote on its website where it leaks pilfered information.

    Continue reading
  • Intuit sued over alleged cryptocurrency thefts via Mailchimp intrusion
    Financial software giant slammed for 'poor security practices'

    Intuit is being sued in the US after a security failure at its Mailchimp email marketing business allegedly led to the theft of cryptocurrency from one or more digital wallets.

    In a proposed class-action lawsuit [PDF] filed in federal court in northern California on Friday, the plaintiff – Alan Levinson of Illinois – claimed he and potentially others fell victim to a sophisticated phishing attack in which their Trezor cryptocurrency wallets were unlawfully accessed and funds siphoned.

    Someone earlier stole from Mailchimp details of Trezor's mailing-list subscribers, and used this information to reach out to those users with an email engineered to trick them into installing malware designed to hijack their digital wallets. Levinson said he believes millions of dollars in crypto-coins were stolen in this attack, including $87,000 from his own wallet.

    Continue reading
  • So, what happened with GitHub, Heroku, and those raided private repos?
    Who knew what when and what did they do?

    Analysis GitHub says it has identified and alerted developers who have had their private repositories accessed and downloaded via stolen authentication tokens.

    In this multifaceted fiasco, Microsoft-owned GitHub insisted its security was not breached. Instead, we're told, "compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps."

    Salesforce-owned Heroku confirmed someone compromised an OAuth token – presumably an internal staffer's token – to get into Heroku's GitHub account and rifle through, and potentially update, users' GitHub repositories "using OAuth tokens issued to Heroku’s OAuth integration dashboard hosted on GitHub."

    Continue reading
  • Broader investment in cybersecurity beginning to pay dividends
    Improved defenses give organizations more room to negotiate but won't protect from lawsuits, says law firm

    An increased willingness on the part of enterprises to invest in cybersecurity may finally be starting to make a difference, according to US law giant BakerHostetler.

    While ransomware was involved in 37 percent of 1,270 incidents the firm handled during 2021, up 10 percent on 2020, today's Data Security Incident Response Report [PDF] suggests that growing uptake of mitigation techniques like multifactor authentication (MFA) and backups are driving the price of ransoms down.

    "Of the ransomware matters we helped manage in 2021, the average ransom demand paid was around $511,957, roughly two-thirds the average amount paid in 2020," the report said.

    Continue reading

Biting the hand that feeds IT © 1998–2022