The story about the massive cyber attack that may have compromised as many as 145 million eBay accounts a few months ago – but that was revealed by the online retailer only last week – continues to develop.
When eBay went public about the breach last week, it recommended that 145 million users change their passwords. Now, however the password-changing process has come under fire. Some security experts and tech media outlets say that it actually accepts new passwords that eBay’s own security policies describe as too weak.
As if that weren’t bad enough, the data breach has also led to a joint inquiry by a number of U.S. state attorneys-general and a possible investigation by the Information Commissioner (ICO) in the U.K. The ICO could impose fines as high as £500,000 ($914,330).
“eBay is, on the face of it, a very serious breach,” Information Commissioner Christopher Graham told BBC Radio. “The message for business is you’ve got to be better at security and you’ve got to be better with our personal data.” The ICO previously fined Sony £250,000 ($457,020) for a data breach, he noted.
In an article in The Register, Darren Paul describes his own experience when changing his eBay password.
“This writer has confirmed eBay accepted the most commonly used password as revealed in 2012 during its user password reset process,” Paul writes. “It also permitted those combinations explicitly marked unacceptable by eBay.”
Paul says the password system on eBay (Nasdaq: EBAY) flagged “high entropy” (randomness) passwords generated by the LastPass password management service as weak and suggesting riskier, more common alternatives would be more secure.
Security experts also claim to have found a new vulnerability. Jordan Lee Jones, a U.K. security researcher, reported a cross-site scripting (XSS) flaw in eBay’s labs page, which Paul said was offline at time of reporting. Jones had reported another vulnerability which eBay then patched.
A German security expert reported a second, unpatched XSS vulnerability which attackers could use to create auction pages with unauthorized Javascript that could steal users’ cookies.
“Ebay reused the cookies across sessions regardless of whether the victim logged out their account or reset passwords,” Paul reported.