As the 145 million people affected by the security breach at online giant eBay get used to the idea that their personal information may be "out there" and their passwords need to be changed, we wanted to update yesterday's coverage of the story.

Data dump

As criminals are likely to do in the wake of drama and tragedy, someone has posted what they allege is a sample of a dump of data from the eBay breach on Pastebin. But in all likelihood, the data is not from that breach. Where is it from? People are still speculating.

A spokesperson from eBay has stated that this sample does not match the data in their database, and this does seem to be backed up by details around the data as well. The users that are shown in the sample would represent an odd subset of users for an international company like eBay. And the price asked (1.45 Bitcoin) would seem to be astonishingly low for the data of 145 million users. Even if the sample is not in fact from the eBay breach, it could potentially be data could be from another company's leak. Or then again, it could just be random, fake data. Time will likely tell which is the case.

Does notice delayed = no notice?

There are many reports from concerned eBay users that eBay has not yet sent them an email about the problem and there is no notification about the problem on eBay.com. The only notification that my colleague and eBay.com user Stephen Cobb found appears after a user has decided to change their password.

ebay-password
It is common for sites to put a banner or a notification on their site after a breach urging users to change passwords, even when the theft is only of encrypted (and properly salted and hashed) passwords. Why eBay has not done this is something of a mystery.

Wimpy password meter

If you have not done so already, this is a good reminder to update your password on eBay to a strong, unique password. This should be something that you can easily remember but nobody else could easily guess. My colleague, David Harley, has written extensively on this topic. Unfortunately, eBay allows passwords as short as six characters. We suggest at least 8, preferably more.

While eBay requires some mix of upper, lower, number, and symbol, it is wise to choose something much longer, using a combination of uppercase and lowercase letters, numbers and special characters. Unfortunately, the password strength meter that eBay uses is very wimpy, rating Password1 as "medium" and allowing unwitting users to employ the following atrocities:

  • Password
  • password1
  • Qwerty
  • Iloveyou

De-link PayPal

Because eBay owns PayPal, they frequently suggest users link their PayPal account to their eBay account. In the wake of the breach, if you have previously followed this suggestion, you may wish to revisit this idea and unlink those accounts. You can still pay with PayPal any time you want.

Linked accounts can provide criminals an easier way in to a wider variety of data, as they infer authentication across different services. More simply put: Any time you remove a step from the process of logging in as a user, you remove a step of security against attackers trying to gain access to your information.