View Full Version : eBay Security & OpenSSL

24-05-2014, 03:44 PM
If you don't already know, eBay was hacked due to the Heartbleed bug in openSSL. If you haven't done so already, you should change your password at eBay.

This link: Safe Web - Heartbleed Check (http://safeweb.norton.com/heartbleed) will allow you to check any HTTPS:// page for the bug.

24-05-2014, 03:56 PM
I got an email from Ebay this morning.

24-05-2014, 11:42 PM
Irving I don't think it was the heartbleed script, but more of an insider hack. here's the official notice from ebay Important (http://www2.ebay.com/aw/uk/201405230907132.html)

25-05-2014, 07:56 AM
Ok. I was responding to a media report. I've not had anything formal from eBay :(

But the link is still useful!

Lee Roberts
25-05-2014, 12:54 PM

If you go to ebay and login, you will be asked to reset your password and this is what they have to say about it:

Keeping Our Buyers and Sellers Safe and Secure on eBayOn Wednesday, we announced that we are asking all eBay users to change their password. This is because of a cyberattack that compromised our eBay user database, which contained your encrypted password.
We take security on eBay very seriously, and we want to ensure that you feel safe and secure buying and selling on eBay. So we think it’s the right thing to do to have you change your password. And we want to remind you that it’s a good idea to always use different passwords for different sites and accounts. If you used your eBay password on other sites, we are encouraging you to change those passwords, too.
Here’s what we recommend you do the next time you visit eBay:

Take a moment to change your password. This will help further protect you; it’s always a good practice to periodically update your password. Millions of eBay users have already updated their passwords.
Remember to always use different passwords on different sites and accounts. If you haven’t done this yet, take the time to do so.

Meanwhile, our team is committed to making eBay as safe and secure as possible. We are looking at other ways to strengthen security on eBay. In the coming days and weeks we may be introducing new security features. We’ll keep you updated as we do.
Thanks for your support and cooperation. eBay is your marketplace, and we are committed to keeping it one of the world’s safest places to buy and sell.
http://pics.ebaystatic.com/mobile/rwap/sign.pngDevin Wenig
President, eBay Marketplaces


25-05-2014, 01:52 PM
From the Heartbleed website Heartbleed Bug (http://heartbleed.com/) "Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug."

I would like to think ebay would have fixed any bugs in the security of their servers well before now, knowing that the heartbleed bug has been out there for more than 2 years. If they knew and did NOTHING to protect all ebay users, then they should at least compensate all users by giving them back the fees charged for the last 2 years as they have left us all vulnerable to data theft and not provided a secure service for which they charge their fees.

Lee Roberts
25-05-2014, 04:09 PM
The problem was that no one new about it over that time, it was discovered not so long ago while some guys worked on something else.


25-05-2014, 04:54 PM
I haven't seen anything official to suggest that eBay was compromised by the Heartbleed bug, and the reports I have seen appear to say that eBay was pretty quick in to install the fix. This looks like a different issue.

george uk
26-05-2014, 12:14 AM
there is much more to this than gets publicised, its not just the heatbeat bug, its a number of disclosures over the past 18 months over purpose built in holes in security standards, all converging. remember google, yahoo, microsft got hacked a few months ago aswell. If they got the databases you can guarantee they broke the encryptions.

I wander when apple is going to fess up

And if anyone thinks the introduction of heartbeat was accidental, and not forced by NSA and the like, should look at the dates relative to they dates they got access to the intercommunication of google ssl servers, as published by Edward Snowdon

Lee Roberts
26-05-2014, 12:41 AM
George, if you get time and havnt already, watch this: Mikko Hypponen - How the nsa betrayed the worlds trust, time to act. (http://www.ted.com/talks/mikko_hypponen_how_the_nsa_betrayed_the_world_s_tr ust_time_to_act#t-395489) I think you may find it intresting.


george uk
26-05-2014, 02:57 PM
Hi lee, i will have a look through that, i usually go through the ted talks, i have an interest in physics and math. If you ever need insperation to build design and blow anything up, Watch the Burt Rutan ted talk on the evolution of flight and space flight..

I still dont think that people understand the future damage of letting there data into the hands of private companys. I have no problem with my goverment looking at my internet and computer activity. Even storing data on me......but....... The likes of currys, wlamart, pc world..... horrofys me....

It would make sales prices unfare....how long before we get to the point that a price is only displayed for a product when the store can identify you and decide what the most your likely to pay, and give the next person a different price...... Or a salesman is able to notice as soon as you walk in the door that you have decent ammount of spare cash in your bank, so they know to target and pester you...

I also suspect that paypal may have been compromised by the ebay intrusion but that have not said so...... How many people reading this have the same or similar log in details for ebay/paypal....