Andrew Breese

Musings of a professional geek

What are the eBay hack implications for ordinary people?

So eBay was hacked pretty badly (Soylent post, and eBay’s own announcement), which for the geeky type folk is interesting in terms of how they did it; but more importantly – every eBay user should take care and think about what they have shared with these companies.

The nature of the hack is typically complex, and the explanations of how are not really that relevant to every day users (I’m not being condescending by saying that, as I consider myself an end-user too). eBay has made a fair effort to give details recently, but can also be rightly questioned about how long the advice took to reach their customers. Rightly or wrongly it is around 2 months since the actual event, and that is a fairly long amount of time to wait to request password resets.

  • For users it means change your passwords now. Change them to something which is hard to guess; preferably a gibberish nonsensical combination of letters, numbers, and special characters.
  • Also change any passwords for services which you used with ebay too.
  • And please ensure the password is not the same as any other services you are using.
  • Consider using a password vault of some sort. It makes having all these different password easier, and also helps you when using multiple computers. Yes, it can be hacked too, but everything can be.

The reason for this is we don’t know what other attacks are being attempted, or what previous attacks might not have been understood well. PayPal is certainly a regular target for trouble too, so consider altering your credentials with them as well.

The tech jargon translates to mean that your password wasn’t easy to read, but it is only a matter of time until it is. Database encryption is a wonderful thing, but time and brute force will beat almost anything in use today; and by comparison the “safe”encryption methods of five or so years ago and now considered questionable.

Of the 140 million accounts compromised, wouldn’t you rather be one of the ones that isn’t open when the hackers decrypt all those old passwords?

Is this an alarmist approach?  We’ll no. This time resetting your credentials is the first step.

There are additional steps “normal” online users should do too:

  • Consider changing what personal information you are currently saving into and sharing with every online service (a.k.a. website). Each app, each URL, every vendor, all those games, and whatever Facebook widgets all collect information from you and you’re far better off if the collection of information out there is as vague as possible. I recently went through Facebook, eBay, paypal, and a few other services that I use and removed a lot of personal information. From now on they only get the minimum.
  • As part of that depersonalization, consider getting your orders delivered to a place which isn’t your home address. I often use my work address, as there will always be somebody there during postal delivery hours, but it also means that eBay and such have no idea of where I actually live.
  • Don’t trust your app vendors and more than you’d trust the guy at your local clothing store, cafe, or petrol station. Just like it is trivial for somebody working in the store to grab your card number, it is a lot harder but also a lot easier to do in huge quantities for online transactions. This means that while you’re generally more secure online for a single transaction, the methods of attack are far more complex and harder to understand.

Hope this was useful, and also wish the darn hackers would get into something a little less destructive and nasty. The skills to do some of this activity are significant, and there has to be a better way to gain money or notoriety.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: