Not well, it seems.
There was no notice up on their site yesterday, and registered users did not receive e-mails warning them to change their passwords.
Those who found out via media coverage rushed to the site today to try to change their passwords. The traffic was so heavy that the site couldn’t function well and many people were unable to complete password resets.
Why eBay didn’t post a notice on the site yesterday morning before issuing their press release is almost beyond comprehension.
Why they weren’t ready to send out emails to everyone yesterday is also almost beyond comprehension. I’d love to tell you what their email said, but I haven’t received one yet.
In the meantime, three states’ attorneys general are investigating the breach: Illinois, Florida, and Connecticut, while New York’s Attorney General is already demanding eBay offer free credit monitoring.
Even if you have changed your password – and any other sites where you may have used the same password – remain vigilant as there was enough information involved to make phishing or social engineering a real risk. According to eBay, the data types involved included your name, email and postal addresses, phone number, date of birth, and “encrypted” passwords (which is how eBay described their “proprietary algorithm” involving hashed and salted passwords). So even though credit card information reportedly wasn’t involved, the types of permanent information involved like your date of birth are problematic.