Submission + - eBay Still Has Login Vulnerabilities?
Atario writes: "This morning I checked my email to find several apparent eBay-alike spam messages in my Inbox. This reminded me that I needed to leave feedback for something on the actual eBay. So I went there, only to find that I could no longer log in. Long story short, I realized that those "fake" eBay emails were the real thing — and were sent from my eBay account! Horrified, I contacted their help people and got my password reset, and some mass eBay emails following up to those who had been spammed, saying that I hadn't done it. Going to my account, I saw that the attackers had sent a "visit our happy and good-spirit Chinese web site and buy electronics" spam to 30 different people. (Only the first six came to me, because those used a general "contact an eBay-er" mechanism, whereas the rest used a "ask seller a question" one; apparently the latter doesn't automatically send you a copy in email automatically.) At any rate, whoever this was was able to change my password and send messages as me; this, to me, implies that they were able to crack my password and log in as me. This would mean either (1) inside job with DB access or (2) eBay is vulnerable to brute-force login-attempt attacks, which is something so easy to defeat (increasing attempt delays), they would need to be ashamed for about aleph-null years were this the case.
So, what does Slashdot think: eBay is infested with Chinese spammers as employees, or they can't get security minimally right after all these years?"