After hackers stole email addresses and other user data from eBay's network, the company announced it would email users to suggest they change their passwords. That doesn't make a whole lot of sense.
The problem with this approach is that the hours immediately following a breach are prime time for hackers. Cybercriminals are consummate opportunists. They scrutinise the news looking for ways to craft fraudulent and timely messages to trick people into clicking on them. The millions of eBay users who may have caught wind of the breach after seeing a headline today are more likely to fall for an email scam prompting them to click a link and input their login information. A similar technique was used by Chinese military officers to hack into US companies, showing that in cyber security, people are their own worst enemies.
Instead of emailing the auction site's more than 145 million active buyers worldwide, eBay could have immediately done something that Adobe Systems, LinkedIn and Evernote all did after their recent high-profile hacks: change users' passwords. Automatically resetting accounts is becoming a "common courtesy" after many breaches, says Lysa Myers, a researcher with Slovakian security firm ESET.
EBay said in a statement that there is no evidence of unauthorised activity resulting from the breach. Kari Ramirez, a spokeswoman for eBay, now says all users will "shortly" be required to change their passwords before logging in.
"Far too many people will simply ignore the notification and do nothing," says Brian Contos, a vice-president at security firm Blue Coat Systems. "Companies should automatically reset passwords, notify users why this is being done when they log in and hopefully allow more robust alternatives," such as two-step authentication.
For a case study in the danger of waiting, look at what happened to LinkedIn. A day after the company disclosed in June 2012 that encrypted passwords for some users had been stolen, 6.5 million LinkedIn passwords showed up on a hacker site. The company initially reset only the passwords it believed to be cracked. Later, LinkedIn disabled the passwords of other users who might have been affected.
Contrast that with Evernote's response to a breach of its network in March 2013 where user data – including passwords protected by strong encryption – were stolen. The company went all the way. It disabled all passwords and required users to create new ones the next time they logged in, a step the company said was taken out of "an abundance of caution".
A blanket resetting of passwords can irritate users and in the case of e-commerce, slow or deter purchases. But trusting people to protect themselves is not a good form of cyber security.