eBay password changes -- were they attacked?
I now have a couple of unrelated notices in my hand that people's eBay passwords were changed -- by eBay. One of them was mine, in consequence of which I believe they're real, but I'm led to wonder: did eBay change a Whole Lotta Passwords? If so, why? Anyone else get a "We changed your password due to possible fraud" email overnight? Reply direct, I'll summarize. And remember, if you did, and you changed your password, and you use eSnipe, change it there, too. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
My password wasn't changed and I didn't get any notice from eBay. Best Regards, Filip Hruska On 04/05/2016 05:39 PM, Jay R. Ashworth via Outages wrote:
I now have a couple of unrelated notices in my hand that people's eBay passwords were changed -- by eBay. One of them was mine, in consequence of which I believe they're real, but I'm led to wonder: did eBay change a Whole Lotta Passwords? If so, why? Anyone else get a "We changed your password due to possible fraud" email overnight?
Reply direct, I'll summarize.
And remember, if you did, and you changed your password, and you use eSnipe, change it there, too.
Cheers, -- jra
I got one of those a few weeks ago. When I inquired about it I was told that the password I was using was found on some leaked password list and due to that they had set a temporary password to protect my account. -DJ ----- Original Message ----- From: "Filip Hruska via Outages" <outages@outages.org> To: outages@outages.org Sent: Tuesday, April 5, 2016 11:45:13 AM Subject: Re: [outages] eBay password changes -- were they attacked? My password wasn't changed and I didn't get any notice from eBay. Best Regards, Filip Hruska On 04/05/2016 05:39 PM, Jay R. Ashworth via Outages wrote:
I now have a couple of unrelated notices in my hand that people's eBay passwords were changed -- by eBay. One of them was mine, in consequence of which I believe they're real, but I'm led to wonder: did eBay change a Whole Lotta Passwords? If so, why? Anyone else get a "We changed your password due to possible fraud" email overnight?
Reply direct, I'll summarize.
And remember, if you did, and you changed your password, and you use eSnipe, change it there, too.
Cheers, -- jra
_______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
On 5 Apr 2016, at 16:51, DJ Anderson via Outages <outages@outages.org> wrote: When I inquired about it I was told that the password I was using was found on some leaked password list and due to that they had set a temporary password to protect my account.
Late last year I worked on an abuse report (filed by eBay) where a customer server was hosting an eBay phishing page. Despite the fact they were all meant to be emailed directly to the hackers, a bit of digging found the list of email addresses (and passwords) that had been captured by the phishing page. eBay probably did exactly as above when we provided them with that list: changed passwords and contacted affected users. Unless "we've changed your password and are contacting you to let you know" is the next level of the phishing scam ;-) Marek Isalski
On 04/05/2016 10:51 AM, DJ Anderson via Outages wrote:
I got one of those a few weeks ago.
When I inquired about it I was told that the password I was using was found on some leaked password list and due to that they had set a temporary password to protect my account.
-DJ
Does that not imply they are not using salted hashes, but storing the passwords in plaintext? Or maybe they're intercepting the passwords and testing them against a dictionary? I might be OK with the latter, maybe (but who appointed them to be the world's password police?) --Joey Kelly <snip> -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550
Possibly, though I'd lean more toward the password list coming from a phishing site, in which case everything would be in the clear, and testing it against their own properly salted, hashed password database would be trivial.
On Apr 5, 2016, at 11:18 AM, Joey Kelly via Outages <outages@outages.org> wrote:
On 04/05/2016 10:51 AM, DJ Anderson via Outages wrote:
I got one of those a few weeks ago.
When I inquired about it I was told that the password I was using was found on some leaked password list and due to that they had set a temporary password to protect my account.
-DJ
Does that not imply they are not using salted hashes, but storing the passwords in plaintext? Or maybe they're intercepting the passwords and testing them against a dictionary? I might be OK with the latter, maybe (but who appointed them to be the world's password police?)
--Joey Kelly
<snip>
-- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550 _______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
On 04/05/2016 11:21 AM, Chris Swingler wrote:
Possibly, though I'd lean more toward the password list coming from a phishing site, in which case everything would be in the clear, and testing it against their own properly salted, hashed password database would be trivial.
That does make sense, and I have no objection to that scenario. --Joey Kelly
On Apr 5, 2016, at 11:18 AM, Joey Kelly via Outages <outages@outages.org> wrote:
On 04/05/2016 10:51 AM, DJ Anderson via Outages wrote:
I got one of those a few weeks ago.
When I inquired about it I was told that the password I was using was found on some leaked password list and due to that they had set a temporary password to protect my account.
-DJ
Does that not imply they are not using salted hashes, but storing the passwords in plaintext? Or maybe they're intercepting the passwords and testing them against a dictionary? I might be OK with the latter, maybe (but who appointed them to be the world's password police?)
--Joey Kelly
<snip>
-- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550
Not necessarily. If you use the forgot password and your password returns in clear text - then yes the database is likely either a weak salt, some sort of reversible encryption or plain text. Chances are they just noticed the DB was copied and as a precaution reset everyones passwords. -----Original Message----- From: Outages [mailto:outages-bounces@outages.org] On Behalf Of Joey Kelly via Outages Sent: Tuesday, April 5, 2016 12:19 PM To: outages@outages.org Subject: Re: [outages] eBay password changes -- were they attacked? On 04/05/2016 10:51 AM, DJ Anderson via Outages wrote:
I got one of those a few weeks ago.
When I inquired about it I was told that the password I was using was found on some leaked password list and due to that they had set a temporary password to protect my account.
-DJ
Does that not imply they are not using salted hashes, but storing the passwords in plaintext? Or maybe they're intercepting the passwords and testing them against a dictionary? I might be OK with the latter, maybe (but who appointed them to be the world's password police?) --Joey Kelly <snip> -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550 _______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
If it's a phishing scenario, no matter how they store and protect passwords, they'd be compromised. Keeping in mind, this is not confirmed, and at this point is pure speculation. As for who made them the password police, that is one of the inherent duties in providing such a service. If they knew your account was compromised and did nothing about it, you'd be emailing with a very different attitude. On Apr 5, 2016 12:20 PM, "Joey Kelly via Outages" <outages@outages.org> wrote:
On 04/05/2016 10:51 AM, DJ Anderson via Outages wrote:
I got one of those a few weeks ago.
When I inquired about it I was told that the password I was using was found on some leaked password list and due to that they had set a temporary password to protect my account.
-DJ
Does that not imply they are not using salted hashes, but storing the passwords in plaintext? Or maybe they're intercepting the passwords and testing them against a dictionary? I might be OK with the latter, maybe (but who appointed them to be the world's password police?)
--Joey Kelly
<snip>
-- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550 _______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
I received a very similar message from Amazon on 3/7/16. Discussion boards seemed to indicate it was legit, however my password was never actually changed by Amazon as the e-mail indicated, nor did I ever change it manually as a result. The e-mail also appeared legit on the headers, but now that I look at a little more closely it originated from amazonses.com which is seems like it might be an e-mail service you can subscribe to? Even though it had all the hallmarks, I never could figure out how it was a valid phishing attempt since no malicious links were contained in the e-mail, and logging on to Amazon to change my own password would result in ? From: Outages [mailto:outages-bounces@outages.org] On Behalf Of Jeff Palmer via Outages Sent: Tuesday, April 05, 2016 12:45 PM To: Joey Kelly Cc: outages@outages.org Subject: Re: [outages] eBay password changes -- were they attacked? If it's a phishing scenario, no matter how they store and protect passwords, they'd be compromised. Keeping in mind, this is not confirmed, and at this point is pure speculation. As for who made them the password police, that is one of the inherent duties in providing such a service. If they knew your account was compromised and did nothing about it, you'd be emailing with a very different attitude. On Apr 5, 2016 12:20 PM, "Joey Kelly via Outages" <outages@outages.org> wrote: On 04/05/2016 10:51 AM, DJ Anderson via Outages wrote:
I got one of those a few weeks ago.
When I inquired about it I was told that the password I was using was found on some leaked password list and due to that they had set a temporary password to protect my account.
-DJ
Does that not imply they are not using salted hashes, but storing the passwords in plaintext? Or maybe they're intercepting the passwords and testing them against a dictionary? I might be OK with the latter, maybe (but who appointed them to be the world's password police?) --Joey Kelly <snip> -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550 _______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
On 5 Apr 2016, at 15:29, Joe Zabramski via Outages <outages@outages.org> wrote:
I received a very similar message from Amazon on 3/7/16. Discussion boards seemed to indicate it was legit, however my password was never actually changed by Amazon as the e-mail indicated, nor did I ever change it manually as a result.
The e-mail also appeared legit on the headers, but now that I look at a little more closely it originated from amazonses.com <http://amazonses.com/> which is seems like it might be an e-mail service you can subscribe to?
My assumption would have been that it was a phishing attempt, and that any credentials I had shared in response to the e-mail ought to be assumed compromised immediately. I'm not familiar with this "discussion board" approach to trusting unexpected requests for login details. Joe
This is not outages-discuss. And eBay password phishing is not an outage. On Tue, Apr 5, 2016 at 12:38 PM, Joe Abley via Outages <outages@outages.org> wrote:
On 5 Apr 2016, at 15:29, Joe Zabramski via Outages <outages@outages.org> wrote:
I received a very similar message from Amazon on 3/7/16. Discussion boards seemed to indicate it was legit, however my password was never actually changed by Amazon as the e-mail indicated, nor did I ever change it manually as a result.
The e-mail also appeared legit on the headers, but now that I look at a little more closely it originated from amazonses.com which is seems like it might be an e-mail service you can subscribe to?
My assumption would have been that it was a phishing attempt, and that any credentials I had shared in response to the e-mail ought to be assumed compromised immediately.
I'm not familiar with this "discussion board" approach to trusting unexpected requests for login details.
Joe
_______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
-- Carlos Alvarez 602-368-6403
I’d greatly appreciate it if this list could be kept on topic too. Myself and others have subscribed to this in order to learn about enterprise ISP outages. I watch this list like a hawk as ISP issues always cause a barrage of problems for myself and others on here. It’s quite a disruption to keep reading about people’s personal problems, or problems with websites. There are many great community’s and mailing lists that are not this one, for that type of discussion. Thanks, Chris Mayhew | Systems Administrator 175 Bloor Street East, South Tower Suite 900 | Toronto, ON M4W 3R8 CMayhew@SchoolMessenger.com<mailto:CMayhew@SchoolMessenger.com> [SM_EmailSig_TotalPackage] From: Outages [mailto:outages-bounces@outages.org] On Behalf Of Carlos Alvarez via Outages Sent: April 5, 2016 15:40 To: outages <outages@outages.org> Subject: Re: [outages] eBay password changes -- were they attacked? This is not outages-discuss. And eBay password phishing is not an outage. On Tue, Apr 5, 2016 at 12:38 PM, Joe Abley via Outages <outages@outages.org<mailto:outages@outages.org>> wrote: On 5 Apr 2016, at 15:29, Joe Zabramski via Outages <outages@outages.org<mailto:outages@outages.org>> wrote: I received a very similar message from Amazon on 3/7/16. Discussion boards seemed to indicate it was legit, however my password was never actually changed by Amazon as the e-mail indicated, nor did I ever change it manually as a result. The e-mail also appeared legit on the headers, but now that I look at a little more closely it originated from amazonses.com<http://amazonses.com/> which is seems like it might be an e-mail service you can subscribe to? My assumption would have been that it was a phishing attempt, and that any credentials I had shared in response to the e-mail ought to be assumed compromised immediately. I'm not familiar with this "discussion board" approach to trusting unexpected requests for login details. Joe _______________________________________________ Outages mailing list Outages@outages.org<mailto:Outages@outages.org> https://puck.nether.net/mailman/listinfo/outages -- Carlos Alvarez 602-368-6403
----- Original Message -----
From: "Mayhew, Chris N. via Outages" <outages@outages.org>
I’d greatly appreciate it if this list could be kept on topic too. Myself and others have subscribed to this in order to learn about enterprise ISP outages. I watch this list like a hawk as ISP issues always cause a barrage of problems for myself and others on here. It’s quite a disruption to keep reading about people’s personal problems, or problems with websites. There are many great community’s and mailing lists that are not this one, for that type of discussion.
Indeed, and that list is outages-discussion. Or, direct to me, as I'd requested. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
----- Original Message -----
From: "Joe Abley via Outages" <outages@outages.org>
On 5 Apr 2016, at 15:29, Joe Zabramski via Outages <outages@outages.org> wrote:
I received a very similar message from Amazon on 3/7/16. Discussion boards seemed to indicate it was legit, however my password was never actually changed by Amazon as the e-mail indicated, nor did I ever change it manually as a result.
The e-mail also appeared legit on the headers, but now that I look at a little more closely it originated from amazonses.com <http://amazonses.com/> which is seems like it might be an e-mail service you can subscribe to?
My assumption would have been that it was a phishing attempt, and that any credentials I had shared in response to the e-mail ought to be assumed compromised immediately.
I'm not familiar with this "discussion board" approach to trusting unexpected requests for login details.
Well, in fairness, none of these things require you to trust anything more than that your browser has you where the URL and certificate badge say it is. "Amazon SES" is, of course the AWS Simple Email Service, but I don't know if that's a valid domain for it. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
On Thu, Apr 07, 2016 at 03:33:12PM +0000, Jay R. Ashworth via Outages wrote:
----- Original Message -----
From: "Joe Abley via Outages" <outages@outages.org>
On 5 Apr 2016, at 15:29, Joe Zabramski via Outages <outages@outages.org> wrote:
I received a very similar message from Amazon on 3/7/16. Discussion boards seemed to indicate it was legit, however my password was never actually changed by Amazon as the e-mail indicated, nor did I ever change it manually as a result.
The e-mail also appeared legit on the headers, but now that I look at a little more closely it originated from amazonses.com <http://amazonses.com/> which is seems like it might be an e-mail service you can subscribe to?
My assumption would have been that it was a phishing attempt, and that any credentials I had shared in response to the e-mail ought to be assumed compromised immediately.
I'm not familiar with this "discussion board" approach to trusting unexpected requests for login details.
Well, in fairness, none of these things require you to trust anything more than that your browser has you where the URL and certificate badge say it is.
"Amazon SES" is, of course the AWS Simple Email Service, but I don't know if that's a valid domain for it.
Yes, amazonses.com is the valid domain for AWS SES. What this means is the Email Joe received was actually sent via Amazon's SES service (possibly via SMTP, possibly via API), regardless of whatever other domains/hostnames/etc. were involved or shown in the mail. Amazon's documentation doesn't make this readily apparent, but you can find definitive mentions of it here: https://sesblog.amazon.com/blog/category/Announcements https://sesblog.amazon.com/post/TxEH4YOF3YJG0L/Amazon-SES-IP-addresses http://docs.aws.amazon.com/ses/latest/DeveloperGuide/received-email-problems... The most notable is the first link, quoting: "By default, SES uses its own MAIL FROM domain (amazonses.com or a subdomain of that) when it sends your emails." AWS SES runs an *incredibly* tight ship (I cannot stress this point hard enough), so if you're receiving Emails of a suspicious or nefarious nature which are truly coming via AWS SES, and your own review of the details shows that it's nefarious and did in fact come via AWS SES, you should report it. They absolutely can and will look into it -- because all outbound SMTP via SES, as well as API calls, are authenticated with a key which ties to an account/user/customer. Abuse form: https://aws.amazon.com/forms/report-abuse The easiest way to tell where an Email actually came from is to read all of the Received: headers one at a time. (Sometimes they're in most-recent-first order, other times they're not and you get to piece them together by paying very close attention). -- | Jeremy Chadwick jdc@koitsu.org | | UNIX Systems Administrator http://jdc.koitsu.org/ | | Making life hard for others since 1977. PGP 4BD6C0CB |
----- Original Message -----
From: "Jeff Palmer via Outages" <outages@outages.org>
If it's a phishing scenario, no matter how they store and protect passwords, they'd be compromised.
Keeping in mind, this is not confirmed, and at this point is pure speculation.
Well, they did get back to me on Twitter with a very equivocal "something might be up, but we aren't so foolish as to admit it in public" reply, so maybe it's *sorta* confirmed. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
participants (13)
-
Carlos Alvarez -
Chris Swingler -
DJ Anderson -
Filip Hruska -
Jay R. Ashworth -
Jeff Palmer -
Jeremy Chadwick -
Joe Abley -
Joe Zabramski -
Joey Kelly -
Mayhew, Chris N. -
Nick Pron -
outages@maz.nu