eBay on Friday put a notice on its home page urging users to change their passwords after security experts had criticized the auction site for failing to promptly alert customers about a massive break-in and data theft.
The notice, which includes a link to the password reset process, was part of the advice eBay had given its users on Wednesday to immediately change their passwords.
That same day eBay announced a huge data breach in late February and early March. Hackers made off with the user database, which contained names, email and street addresses, phone numbers and passwords for an estimated 145 million eBay users. eBay said that the user information was encrypted.
The attackers compromised a "small number of employee log-in credentials," eBay said, to gain access to its network, then scoured the firm's systems before making off with the database. The San Jose, Calif. company discovered the break-in earlier this month.
"Take a moment to change your password," said Devin Wening, president of eBay Marketplaces, in a notice on the website. "This will help further protect you; it's always a good practice to periodically update your password."
Wening also urged customers to change passwords on other sites if they had reused the one for eBay.
Graham Cluley, a prominent security blogger who previously worked for U.K. security company Sophos, has been critical of eBay's slow reaction to the break-in, particularly the lack of a change-password notice on the Marketplace home page.
"If you're one of the world's top websites, and hackers broke in a couple of months ago, making off with a database of your users, wouldn't it make good sense to make sure that users visiting your website were clearly informed as to what was going on?" Cluley asked on his blog Wednesday. "And wouldn't it be good if you provided an easy link where people could reset their passwords?"
Cluley and others slammed eBay for not prompting users to change their passwords, for not emailing them as it had promised, and for making it difficult to switch to a new password.
Computerworld encountered problems changing passwords on eBay as well; in one password-reset section, eBay's site would not let staffers paste in new passwords generated by 1Password, a popular Mac password manager.
Today, Cluley said that he had seen the change-password message on the U.K. version of eBay yesterday. "But I know other countries have taken longer," he said in an email. "Their response time has hardly been impressive."
eBay has published an FAQ about the break-in on its corporate website.
eBay finally put a change-password notice on its website to prompt users to create new credentials after a massive data breach months earlier.
Sign up for Computerworld eNewsletters.