eBay officials are taking flak for burying news of the password reset issued in response to a hack on the company's corporate network that exposed sensitive data for millions of users.

More than seven hours after eBay published an advisory that was five clicks removed from end users, the company still made no mention of the breach, said to affect 145 million customers, in e-mails, on its front page, or when users log in to their accounts. The bare-bones post disclosed a breach in February or March that allowed attackers to make off with cryptographically protected passwords. It advised users to change their login credentials. The breach also exposed customers' names, e-mail addresses, home addresses, phone numbers, and dates of birth in a human readable format.

Given the magnitude of the breach, it's surprising to see an Internet-based company like eBay take so long to directly notify customers and inform them of what steps they should take to protect themselves. The burying of such an important advisory didn't escape the scrutiny of security bloggers such as Graham Cluley or Paul Roberts. Asked to comment on the lack of disclosure, an eBay spokeswoman wrote: "An updated password reset process is currently being rolled out to all our users. It will be available shortly."

eBay users should be wary of anyone contacting them claiming to be eBay or any other company. They should also anticipate an increase in phishing e-mails. That means they should avoid clicking links in e-mails or discussing anything sensitive over the phone. People who use their eBay password on other sites or services should immediately change it.

The lack of timely disclosure comes two weeks after eBay's discovery that "a small number of employee log-in credentials" had been compromised. If eBay wants to restore trust, it should explain why it took so long to directly notify customers that they should change their passwords. It should also provide a more thorough timeline about exactly what it knew and when, and what the process is for making such information known to users. Plus, officials should explain what they meant in their advisory by "encrypted passwords." If that means that passwords were converted to one-way cryptographic hashes, eBay should say how resistant the underlying algorithm is to the types of password cracking techniques that have grown so common that they're now a pastime among script kiddies.