Following on from the news that an eBay password database has been compromised, and universal advice from security experts that users should now change their passwords, one thing has been loud clear: the total lack of that password change requirement from eBay. Sign into eBay and there is nothing to say stop, change your password. There has been no email sent to registered users urging them to make the change. In fact the only I've read of it have come from news stories in which they state that eBay are 'urging users to change their passwords' but truth be told it's a damn funny definition of urging if you ask me.
However, I have finally found the message that asks you change your password and the proof is right here in the screenshot below.
The only problem being that eBay has opted to put that message on the change your password page. That's right, to see it you have to sign into eBay, go into the My eBay section, navigate to the Account tab and then the Personal Information section, and finally scroll down and hit the edit password button.
Yep, the only people who will see the message 'urging' them to change their password are those people who have already made the decision to change their password. Hit the 'learn more' link after the password change request screen and you finally come to a page with "A Message From Devin Wenig" which says:
Recently, our company discovered a cyberattack on our corporate information network. This attack compromised a database containing eBay user passwords. We have no evidence that your financial information was accessed or compromised and your password was encrypted. However, to protect the security and privacy of our customers, we’re asking all eBay users to reset their passwords.
After you’ve changed your password, you will receive a confirmation to your registered eBay email account informing you that your password has been successfully changed.
Your trust is essential to us, and as a valued customer we want you to have confidence in buying and selling on eBay. That’s why we are asking all global customers to change their passwords. I regret any inconvenience or concern that this situation may cause you. We take this situation very seriously, and will continue to work with law enforcement to investigate this intrusion. We are committed to ensuring a safe and secure experience for you on any device.
I can only assume that eBay is going, at some point, to be sending this to all registered users by email; is going to display this message to everyone who goes to the sign in screen; start being a little more proactive about helping users secure their accounts. Otherwise, I have to say, eBay is guilty of some very stupid decisions when it comes to incident response. eBay, you really could, should and must do better - and do so quickly.