Privacy auctioned off by Ebay hack

The latest company to fall victim to a hacking scandal

Auction site Ebay dominated the security side of the news last week after it revealed that user data had been stolen. Encrypted passwords, names, addresses, phone numbers, dates of birth and more had been nicked from its servers.

15 million UK users and a staggering 145m Ebay accounts around the world were affected, in one of the biggest global security breaches since someone let Edward Snowden bring his external hard drive into the office with him.

Ebay took a critical kicking for its handling of the attack, which was said to have happened back in late February or early March. It took ages to tell people, took ages to issue password change requests, and generally made a mess of managing the situation. But it's still where we'll be buying everything, right?


Discussion over on the Telegraph saw tech enthusiasts turn to a bragging match about the relative strength of their passwords. Reader IanHislop stepped up with: "I can recommend KeePass. I now have 80+ unique passwords, all up to 20 random characters that you could NEVER remember but as safe as a password can be."

To which David19 replied with the slightly cynical: "So presumably you have these wonderful passwords on a phone or a computer somewhere… and how do you protect this list?"

He really shouldn't have gone there, as IanHislop replied with an insight into his insane password management skills, explaining: "Held on a USB stick (with a backup copy in a locked safe) protected by Bitlocker. The password file itself is encrypted and protected by a 32 character passphrase (the only one I need to know and, being a phrase that makes sense to me, I can readily recall it) that would take even the most powerful hacker tools '8 to the power of 25' centuries to crack on average."

Not that he's got anything to hide, of course.

Another fine mess

On Sky there was a suggestion that Ebay may be fined by the UK's Information Commissioner for breaching data protection rules, with reader Aquatic dreading the damage that will do to his monthly sales invoices, saying: "If Ebay gets fined loads of money, they will simply squeeze more out of their users to pay for it. They have already upped their fees to 11% and they include postage in their final valuation. eBbay never warned me to change my password, Sky News did, I heard nothing from Ebay."

The financial implications of a fine are nothing to the auction giant, says reader Judgement Day, who complained: "£250,000 estimated fine is chicken feed to Ebay ... the rest of us are paying by having to sign up with Experian and other credit checking companies to ensure our details are not used for taking cash from our account."

Mr Day also summarised a lot of people's bewilderment that it appeared to take Ebay so long to work out what happened and tell people about it, adding: "Pretty poor excuse for a company with so much personal data, and this happened two months ago." Some negative feedback is definitely incoming.

Maximum security stockade

Beneath a Daily Mail piece that suggested the maximum fine Ebay could face in the UK is £500,000, the usual nutcases were out in force. Reader Vpharm is not happy at all, raging: "Hacking should be WHOLE LIFE IN JAIL. Selling data illegally should be LIFE in JAIL! Sadly a multi BILLION pound company will get a MAX £500,000 fine in the UK if any fine! We need the law to force companies like Ebay to compensate every victim £10,000 each time their data is taken!"

Reader Wayne then made a joke that gathered 70 little green arrow things beside it, classifying him alongside the likes of Peter Kay and Bill Hicks in the all-time comedy rankings, with his comment: "Is the information for sale available for cash on collection or do you have to use PayPal?"

Not bad. Password security is one of the hardest things to care about, let alone attempt to be funny about.

Only me

And it wasn't just Ebay that hit the hack headlines this week. Odd news broke of an exploit that broke into Spotify's servers, although official comment from the streaming site claimed that "only one" person's data was actually accessed.

Beneath an Ars Technica piece about the Spotify and Avast forum hacks, reader Robert Walter wonders why passwords are encrypted but not stuff like usernames and dates of birth, asking: "What kinds of idiots are running these companies that they think that credit card data (which is insured and can be cancelled and replaced) is more important than personal details which can't be replaced?"

There were a few technical explanations about why this is the case, but they didn't make particularly enjoyable reading, nor can we verify they're true as it's all a bit… hard.

The constant flood of highbrow hacking news is becoming routine reading for defeatist JohnnyTheGeek, though, who sighed a little further down: "I don't rant about these breaches anymore. It does no good, and I just accept that your information will be hacked online at some point and the bigger your footprint the faster this will happen."