eBay 'not doing enough' over hacking – experts
Published 23/05/2014 | 02:30
SECURITY experts have criticised online auction service eBay for failing to better inform its Irish and international customers about a major hacking breach suffered by the company.
The website had 145 million customers' passwords, personal names and physical addresses hacked into in February and March.
It still has no information on its main web pages about the incident or the danger to eBay customers.
A spokesman for eBay.ie said that the company was not giving guidance to an estimated 100,000 Irish customers beyond the comments of the US parent company.
The company has said that there is no evidence of customers' financial data being compromised. However, this claim has also been criticised by security experts.
"What's being implied here is that absence of evidence is evidence of absence and that's not always the case," said Troy Hunt, a security expert for Microsoft.
"There have been many prior examples where attacks have occurred and companies have issued statements on the scope of the breach only to revise it upwards shortly thereafter, sometimes multiple times."
Graham Cluley, a senior security expert who worked for IT firm Sophos, said: "They're still not being proactive enough in telling their users who might have missed the headlines in the media.
"Users have to dig around in eBay's press section for news... and even then they don't tell folks how to change their password.
"The same is true if you log into your eBay account. There's no message displayed telling you about the breach or what you should do about it."
Irish experts say that the hacking incident could expose eBay customers to risks in other online accounts.
"Users of eBay need to be concerned their other online platforms where the same password was used," said Ronan Murphy, chief executive of Smarttech.ie.
"Web users in Ireland are using the same password for multiple web accounts and websites. The massive security weakness in this approach means that web users are susceptible to attack on their accounts, perhaps in an unsuspecting manner."
The security breach raises fears of 'phishing' attacks, where eBay customers receive emails purporting to be from the company – but which are designed to trick them into clicking on unsafe web links.
Names, email and postal addresses, phone numbers and dates of birth of customers have been compromised.
It is feared that those details could now be used to leverage access to users' other online accounts.
Some sites such as online banking services accept a date of birth and address as part of their secure log-in process, while telephone banking services will often request the same details. Having a list of these personal details would make life easier for a cyber criminal.