Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
The company said unknown hackers stole email addresses, encrypted passwords, birth dates, mailing addresses and other information in an attack carried out between late February and early March. The files did not contain financial information. An eBay spokeswoman said a large number of accounts may have been compromised, but declined to say how many. EBay said it found no evidence of unauthorized access to financial or credit card information at its PayPal payments subsidiary, which encrypts and stores its data separately.
EBay shares were down 0.2 percent late Wednesday afternoon, compared with a 0.9 percent rise in the Nasdaq Composite Index. The e-commerce company's stock has steadily fallen since late March as part of a broader slide in technology shares. Last month, eBay reached an accord with activist investor Carl Icahn, who had been calling for the company to spin out PayPal, which is growing quickly.
FRAUD ALERT
Security experts advised EBay customers to be on the alert for fraud, especially if they used the same passwords for other accounts. "This is not a breach that only hurts EBay. This is a breach that hurts all websites," said Michael Coates, director of product security with Shape Security. He said that companies typically only ask users to change passwords if they believes there is a reasonable chance attackers may unscramble encrypted passwords. Once the passwords are unscrambled, attackers could use automated software that seeks to log into thousands of popular services, including Facebook, Twitter, popular email services and online banking sites, he said.
EBay spokeswoman Amanda Miller said the company was making the request "out of an abundance of caution" and that it used "sophisticated," proprietary hashing and salting technology to protect the passwords. Amit Yoran, senior vice president of EMC Corp's RSA security division, said that cyber criminals sometimes take data from multiple breaches, combining them into detailed portfolios that fraudsters can use for scams. "We are seeing a level of sophistication in the cybercrime world where they are able to pull data from multiple exploits to create stronger profiles of individuals," Yoran said. "The more detailed information fraudsters have, the better their ability to successfully perpetrate fraud."
NO SIGNS OF FRAUD
eBay came under pressure on Thursday over a massive cyber attack, as three US states began investigating the e-commerce company's security practices. Connecticut, Florida and Illinois said they were conducting a joint investigation of the matter. New York attorney general Eric Schneiderman requested eBay provide free credit monitoring for everyone affected, according to a person familiar with the matter. Details about what happened are unclear because eBay has provided few details about the attack, which is under investigation by the FBI and a cyber-forensics firm. It is also unclear what legal oversight the states had to respond to eBay's handling of matter.
The states' quick move to investigate the attack shows that authorities are serious about holding companies accountable for securing consumer data following high-profile breaches at other companies, including retailers Target, Neiman Marcus and Michaels Stores and the credit monitoring bureau Experian. Congress and the Federal Trade Commission are investigating the Target breach, which resulted in the firing of the company's chief executive and chief information officer. "There is definitely a climate shift," said Jamie Court, president of the consumer advocacy group Consumer Watchdog. "The departure of the Target CEO over the problem signals inside the board room and in the halls of government that these are betrayals of customers and that they won't be tolerated."
EBay shares were down 1.3% in afternoon Nasdaq trade, compared with a 0.6% increase in the Nasdaq Composite Index. The investigation by the three states will focus on eBay's measures for securing personal data, the circumstances that led to the breach, how many users were affected and the company's response to the breach, said Jaclyn Falkowski, a spokeswoman for Connecticut Attorney General George Jepsen. His office, which is also investigating breaches at Target, Neiman Marcus and Experian, has already contacted eBay, according to Falkowski.
eBay spokeswoman Amanda Miller declined to comment on the investigation by the three states or Schneiderman's request for credit monitoring, but said the company was working with governments around the globe in the wake of the attack. "We have relationships with and proactively contacted a number of state, federal and international regulators and law enforcement agencies," she said. "We are fully cooperating with them on all aspects of this incident." A spokesman for the FBI's San Francisco office said multiple agents were working on the case, but declined to comment on the likelihood or timing of arrests.
The investigations came as some eBay customers complained in eBay Community forums and on social media that they received news about the breach from media sources first and not directly from the company. Some customers said they had yet to received notifications by email, which eBay had promised to do. "This is all over the news – Nothing from EBay," sfbay111 said in one post on an eBay forum. Several security experts said the best practices in responding to a breach of this type would be for eBay to have a message pop up when victims log in, telling them about it and forcing them to change their passwords. As of Thursday afternoon, eBay did not have any information on the attack visible on its home page when accessed from the US. "That's really poor incident response," said David Kennedy, a cyber-forensics expert and chief executive of TrustedSEC. "eBay should be held to a higher standard."
Three states investigate eBay response to massive cyber attack | Technology | theguardian.com
Facebook has responded to frustration over its privacy policies by switching off the default setting that led many users to accidentally share their posts with the entire world wide web. Anyone joining Facebook from Thursday will only share their posts with friends and family, unless they explicitly choose to make their information open to everyone online, according to a post on the company's blog. The change will not affect its existing 1.28bn account holders, who will be prompted to carry out a "privacy check-up".
Facebook is facing stiff competition from a wave of social apps such as Snapchat, Secret and WhatsApp – which it recently acquired for $19bn (£11bn) – that have made discretion a selling point. The company's privacy product manager, Mike Nowak, said the decision to reduce the risk of new users over-sharing was taken in response to feedback from its subscribers. "If people share more publicly than they want to be sharing, that doesn't benefit us because it leads to bad experiences over time," said Nowak. "We want people's first impressions of Facebook to be as awesome as possible, and we know it's worse to accidentally overshare than to accidentally undershare." When it first allowed users to share posts publicly in 2009, the default setting was public, allowing anyone else online to see them. Facebook's decision was a hit with online advertisers eager to glean as much data as possible on its millions of users, but has been a constant source of concern for the public. In 2011, the company was forced into a settlement with the Federal Trade Commission, vowing to never make deceptive claims about its privacy procedures and agreeing to independent reviews of its practices.
Most recently, Facebook is being sued by a group of parents on whether it can use their children's images in adverts without consent. For the last decade, Facebook has pushed the boundaries of privacy, encouraging and occasionally forcing account holders to share increasing amounts of information. But Edward Snowden's revelations about the NSA have encouraged Silicon Valley's technology companies to take a stand on protecting their users' information, and regulators in Europe and America have begun to act to protect the rights of individuals online. Last week, the European court of Justice ruled against Google, in favour of a complainant arguing for the right to be forgotten by the search engine. "They have gotten enough privacy black eyes at this point that I tend to believe they realised they have to take care of consumers a lot better," said Pam Dixon, executive director of the campaign group World Privacy Forum.
This spring, Facebook introduced a privacy mascot in the shape of a blue dinosaur, dubbed "Zuckersaurus" after the social network's founder, Mark Zuckerberg, which pops up as people are about to release posts, prompting the user to make sure they are not sharing more widely than they intended. In its post on the change, Facebook said: "While some people want to post to everyone, others have told us that they are more comfortable sharing with a smaller group, like just their friends. We recognise that it is much worse for someone to accidentally share with everyone when they actually meant to share just with friends, compared with the reverse."
http://www.theguardian.com/technology/2014/may/22/facebook-privacy-settings-changes-users
