Ebay under fire over delay in disclosing user-password hack

Company waited three months before telling users to change their passwords

Online marketplace eBay is facing investigation in several states and mounting criticism over the attack that compromised users' passwords and personal data - and over the three-month delay in disclosing the attack to users.

The states of Connecticut, Florida and Illinois are already investigating the company, and may be joined by other US states, as well as the appropriate authorities in countries around the world where eBay operates - such as by the Information Commissioner's Office (ICO) in the UK.

When the company finally admitted the breach, it promised to force users to reset their passwords when they next logged in, but instead has only just added a message on its homepage advising users to change their passwords.

The attack may also affect users of the Paypal payments service that eBay owns and obliges eBay users to use because many may use the same password for both services - despite the links to people's bank accounts that Paypal requires. To make it even more difficult to change passwords, Paypal obliges its users to key in their bank account details when changing such details as their log-in email and passwords.

EBay was hacked between late February and early March, with the attackers gaining access to the company's database of email addresses, real-world addresses, telephone numbers and dates of birth - all information sufficient to attempt identity theft.

The company claims that the passwords were encrypted, but the other information, it admits, was not. Furthermore, the attackers have had ample time in order to "brute force" the encryption on the passwords.

Security experts have been critical about eBay's lackadaisical approach to what has been described as the second-biggest ever security breach.

"It feels to me like eBay isn't handling this very professionally," wrote independent security analyst Graham Cluley in one of his daily blog posts.

"Firstly they messed up the original disclosure of the breach with a half-finished blog post that should never have been published, then they deleted it (making everyone think it was an innocent mistake - and that no breach had occurred).

"Then it was confirmed that a breach had occurred, and everyone should change their passwords...

"But they're still not being proactive enough in telling their users who might have missed the headlines in the media, or in sharing information regarding what methods it had used to encrypt, salt and hash the passwords to keep them out of the hackers' hands.

"And, excuse me, but if the site is serious about all eBay users having to reset their passwords - why aren't they forcing a password reset? How come you can still log into eBay with your old password?"

However, eBay claimed that it had not seen any increase in potentially fraudulent activity on its website.