This Week In Security: Ebay’s School of Hard Knocks

It’s the end of another busy week in the security world. As we’re wont to do at The Security Ledger, we had DUO Security Evangelist Mark Stanislav in to the deluxe Security Ledger Studios to talk about the events of the week.

The Security Ledger podcast

On the agenda this week: the continued fallout from the hack of online auction giant eBay. The company ran into a thicket of criticism this week for the breach and its botched response. Despite knowing about the security breach for weeks, eBay seemed unprepared for the fallout once the news became public. Beyond its statements to the press, the company hadn’t taken steps to streamline the (inevitable) flood of customers who wanted to update their password. In fact, more than a day after the news broke, eBay still hadn’t made mention of it on their home page.

What lessons can we learn from the breach at online auction giant eBay (and the company’s lackluster response)?  We ask Mark for his thoughts. Also: Apple’s getting ready to enter the home automation market. Could Cupertino help foster best security practices in a market where they have been sorely lacking?

Listen on Security Ledger
Listen on


  1. How many thousands of users used the same password at PayPal as they did at eBay? Now PayPal is urging users to change their passwords. Just to be on the safe side, eBay users should maintain a bare minimum balance in their PayPal accounts. Of course opening a second bank account and not keeping very much in the original bank account that you have associated with your PayPal account will also prevent hackers from accessing your account, (or for that matter, PayPal or eBay from yanking unwarranted refunds from that account). That’s why it’s so important to always transfer funds out of your PayPal account and the bank account associated with it AS QUICKLY AS POSSIBLE.

    • securityledger

      yeah – i haven’t seen any data on password reuse between the two sites. (nor am i expecting to). ebay and paypal seem to operate as very separate entities, so its not like they make it easy to reuse a password between the two sites – but i’m sure it happens.

      • Since eBay sellers are FORCED to use PayPal, it’s logical that many of them (especially inexperienced “newbies”) may have used the same password at both sites. Since many people buying things off eBay also like the ease of using PayPal to purchase itmes, it’s logical that many of them may have used the same password on both sites as well. I’ve been using both sites (primarily as a seller) for many years (eBay since 1999, PayPal since late 2000) and my password at both for that 13 year period was only SLIGHTLY different (have changed both since the hacking of course).