eBay Slammed As Customers Struggle To Change Passwords

Written by David Richards     23/05/2014 | 08:42 | Category: INDUSTRY

Tens of thousands of Australians whose passwords and user names were stolen during a hack attack on giant online retailer eBay are today struggling to change their passwords as the US companies servers struggle to manage the traffic from 145M records that have been compromised, the Company has so far failed to post any warnings on their Australian website.

eBay Slammed As Customers Struggle To Change Passwords
Australian executives from the giant retailer who also own Pay Pal are not returning calls and it was not till 1.20pm yesterday  that the Australian operation of the Company informed media of the attack which despite the Company being aware that the personal details of millions of their customers had been stolen two weeks ago.

The online auction site accidentally revealed news of the attack yesterday morning when a PayPal blog briefly posted a message with the headline "eBay, Inc. to Ask All eBay users to Change Passwords." but without any other content other than the words "placeholder text", when the Company realised that the message had been accidently posted they quickly took it down.

Six hours later eBay publicly admitted that hackers had stolen the names, email and postal addresses, phone numbers and dates of birth of all users. Passwords were also stolen.

ChannelNews has placed three calls to Megan Parish the Communications Manager for eBay Australia but none of our calls have been returned. Adrian Christie the Communication Manager at Pay Pal is also not returning calls. 

Security experts have been highly critical of the Companies response as emails warning customers that their details were stolen have still not been sent out to thousands of Australians.

Those that have been warned are now struggling to change their passwords because the sheer volume of people trying to change their passwords at once has meant that the eBay service is failing, leaving their accounts potentially open to attack.

Many people reached an error on the website when attempting to enter a new password which said "page not available", blaming "high traffic volume" and asking users to be patient. It reassured customers that no activity can take place on their account until the password is reset.

The Twitter user TweetieKaz said: "Went to eBay to change my password but couldn't due to traffic... I hope I can get that done soon." 

CRiSPilyMEEE tweeted: "So we're advised to change our eBay password because it's been hacked... yet I can't because of high traffic."

Even those who managed to reach the password-reset page have encountered problems. 

The Daily Telegraph reported that when a user requests a new password they are given the option of receiving a link via email or text message. This provides an additional layer of security as it requires access to the phone or email account of that registered user. But some people are complaining that these messages, once requested, are not coming through and they therefore cannot reset their password.

Carl Watts took to Twitter to complain: "We can't change the passwords on any of our accounts, sends the email reset link but keeps looping."

The security breach dates back to late February and early March, but eBay has said that it only became aware of the breach "earlier in May". This means that it could have had as long as three weeks to prepare for the influx of password reset requests.

Other users were struggling to even find the password reset option. User JPWarren said on Twitter: "How on earth do you change your eBay password? The UI is atrocious."

Now questions are being asked about the security surrounding the Companies Pay Pal and Magento platforms as the same Company that own eBay also owns Pay Pal and Magento. 

Some eBay customers had managed to change their password, but pointed out that their data would remain in the hands of hackers. Ian Cummings said: "I can change my eBay password, but I can't change my name, home address, phone number & birthday."

Despite announcing that they would be sending emails to all customers warning them to change their passwords, and to take the same step at other websites if they use the same password there.

 But these have yet to be sent out, and a warning message on the front page of the website was only added this morning.

"Obviously they've got a lot of people to tell. But I think their whole handling of this has been quite sloppy," said security expert Graham Cluley.

The Australian website has no warning message and customers have not got an email warning that their confidential information has been compromised
.
"I haven't seen anybody yet who's reporting that they've had an email, and that seems to me to be a bit slipshod. Initially news of the breach leaked out through some placeholder text, then that got removed. Back at that point I was warning people 'I've changed my email password and I think you should too'.

"I don't think they've handled it very well. Also, the breach happened a couple of months ago, so either they've been tardy or they didn't notice."

He said that the company had failed to provide enough information to accurately assess the severity of the attack, such as how strongly they encrypt users' passwords.

"We still don't know whether that's a password that could be easily decrypted by hackers, there is still potential that that's the case. Even if they only have personal details, that's enough to put together a very convincing email to get people to click on a link. Those are jigsaw pieces to your identity, which are stepping stones to identity theft. People trusted eBay with that data," he said.

An eBay spokesperson said overnight "We know that customers are concerned, and want us to fix this issue straight away, and we are working hard to do just that.

"Our first priority is and always has been to protect our users' information and ensure we correctly deal with the technical challenges such a situation brings, and that is why as a first step we have requested all users change their passwords. Other steps, including email notification, will follow and we will ensure all eBay users have changed their passwords over the coming days."