[outages] eBay password changes -- were they attacked?

Joe Zabramski jz at zabram.com
Tue Apr 5 15:29:59 EDT 2016 

I received a very similar message from Amazon on 3/7/16.  Discussion boards seemed to indicate it was legit, however my password was never actually changed by Amazon as the e-mail indicated, nor did I ever change it manually as a result.

 

The e-mail also appeared legit on the headers, but now that I look at a little more closely it originated from amazonses.com which is seems like it might be an e-mail service you can subscribe to?

 

Even though it had all the hallmarks, I never could figure out how it was a valid phishing attempt since no malicious links were contained in the e-mail, and logging on to Amazon to change my own password would result in ?

 

 

 

From: Outages [mailto:outages-bounces at outages.org] On Behalf Of Jeff Palmer via Outages
Sent: Tuesday, April 05, 2016 12:45 PM
To: Joey Kelly
Cc: outages at outages.org
Subject: Re: [outages] eBay password changes -- were they attacked?

 

If it's a phishing scenario, no matter how they store and protect passwords, they'd be compromised.

Keeping in mind, this is not confirmed, and at this point is pure speculation.

As for who made them the password police, that is one of the inherent duties in providing such a service. If they knew your account was compromised and did nothing about it, you'd be emailing with a very different attitude.

On Apr 5, 2016 12:20 PM, "Joey Kelly via Outages" <outages at outages.org> wrote:

On 04/05/2016 10:51 AM, DJ Anderson via Outages wrote:
> I got one of those a few weeks ago.
>
> When I inquired about it I was told that the password I was using was found on some leaked password list and due to that they had set a temporary password to protect my account.
>
> -DJ



Does that not imply they are not using salted hashes, but storing the
passwords in plaintext? Or maybe they're intercepting the passwords and
testing them against a dictionary? I might be OK with the latter, maybe
(but who appointed them to be the world's password police?)

--Joey Kelly


<snip>

--
Joey Kelly
Minister of the Gospel and Linux Consultant
http://joeykelly.net
504-239-6550
_______________________________________________
Outages mailing list
Outages at outages.org
https://puck.nether.net/mailman/listinfo/outages

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/outages/attachments/20160405/506e4860/attachment.htm>

More information about the Outages mailing list