NEW YORK (CNNMoney) — Companies typically do a terrible job of notifying customers when they’ve been hacked, and eBay is no exception.
It’s been more than 24 hours since eBay revealed it was hacked. Yet the company still hasn’t emailed users about it, notifying them that they must change their passwords.
Instead, eBay posted a prominent notice on its homepage. But that’s only obvious to someone who happens to visit the website Thursday.
Customers are furious.
Kurt Brown of Battle Creek, Iowa, shops on eBay at least once a week. He wonders what’s taking eBay so long.
“I think it is terrible,” he said. “They can email us through their own system all at once. They send me a lot of emails encouraging me to buy certain things, they can tell us about this!”
EBay did not immediately respond to a request for comment.
Two months ago, cybercriminals got a hold of eBay employee credentials and silently slipped into the company’s computer network. They stole a database full of user information: customer names, account passwords, email addresses, physical addresses, phone numbers and birth dates.
It’s valuable information that can be used in scam people and dupe them into giving up financial details.
The good news for eBay customers: The passwords were encrypted with a technique called hashing, that makes them essentially impossible to decipher. Still, eBay is asking all users to change their passwords — via a “Password Update” notice on the site.
Katherine Leckrone is an occasional eBay user who thinks that notice is not enough. Not everyone visits eBay every day.
“The failure of eBay to be my source of information on this event gives me an impression that they are trying to skirt accountability or keep this event somewhat quiet,” she said. “Being forthcoming and transparent generally garners better customer confidence.”
Cody Bernardy of Seattle thought it especially strange that eBay didn’t reach out, especially because he thinks of himself as “a power seller” of computer equipment.
“It’s kind of disappointing actually, considering I sell items worth $500+ and that I pay 20% of my profits to them,” he wrote. “It should have been a quick response, especially since people solely depend on eBay for a revenue.”
This half-hearted approach by companies is nothing new. There is no nationwide law forcing companies to notify customers of data breaches by hackers. Most companies are vague about the extent of the damage and don’t say anything to customers until much later.
For instance, hackers broke into AOL and took “a significant number” of customer email addresses, passwords, contact lists, postal addresses and answers to security questions. But the company stayed quiet about the how many of its estimated 120 million customers were actually affected. And customers complained about receiving spam from AOL accounts for weeks until the company revealed anything.
Manesh Dadlani, another eBay user in New York City, complained about the lack of communication and said it “feels like they don’t have a grasp of the situation.”