I just got the following email from eBay:
From: "eBay, Sven" >sven@ebay.com<
Date: Fri Mar 28, 2003 5:34:29 PM US/Pacific
To: >doctorow@craphound.com<
Subject: Urgent message from eBay SafeHarborHello,
In an ongoing effort to protect the security of your eBay account, eBay has reset your password and secret question. You will need to go to the eBay site to create a new password before you can bid on or list an item. Additionally, you should have received an automated email confirming this password reset…
3. If your old eBay password was also the password for any other online account you use (Paypal, Billpoint, etc.), we recommend that you immediately change those passwords as well. Good password security means that each one of your online accounts has a different password. Even a slight difference (one letter or number) offers substantial additional protection.
1. Be wary of emails appearing to be from eBay, providing links to sign in, as these are often attempts to collect your password information. Ensure the website you are directed to is in fact one that belongs to eBay. Please note this email does not provide a link, but asks that you go directly eBay. Always make sure that you're on an eBay page before giving out your eBay password or credit card information. The best way to be sure of this is to type www.ebay.com into your web address window of your browser…
Regards,Sven
eBay SafeHarbor
The headers (possibly forged, of course) suggest that this email orginated with eBay. I received another message right afterward, which informed me that my password and password hint had been reset from 209.63.28.12, an IP address in ELI.NET's allocation block (Vancouver, WA, 360-816-3000). No one at ELI.NET is answering the phone. No one at eBay is answering the phone.
Meanwhile, the original email, from "Sven," who apparently has no surname, suggests that there has been some kind of serious security failure there, the details of which eBay is choosing not to disclose, forcing a mass password change instead.
This, frankly, is steaming bullshit. If eBay has had a security breach that leaked my password and password hint (and possibly my other identifying info, like my credit-card number, SSN, billing address, etc), it has an ethical obligation to disclose the date and extent of the breach to me. I trusted eBay with my personal info, and if they failed to adequately secure it, then I need to know how great the risk is, and for how long the risk has persisted.
Cryptic, clueless-train messages like Sven No-name's are a poor, poor substitute for adequate notification.
