eBay hasn't emailed all customers about the attack

ebay password

Companies typically do a terrible job of notifying customers when they've been hacked, and eBay is no exception.

It's been more than 24 hours since eBay (EBAY) revealed it was hacked. Yet the company still hasn't emailed all of its users to notify them that they must change their passwords.

The company said on Twitter, "It will take some time for every eBay user to get our [password] reset email."

Initially, eBay posted a prominent notice on its homepage. But even that was taken down sometime Thursday.

Customers are furious.

Kurt Brown of Battle Creek, Iowa, shops on eBay at least once a week. He wonders what's taking eBay so long.

"I think it is terrible," he said. "They can email us through their own system all at once. They send me a lot of emails encouraging me to buy certain things, they can tell us about this!"

Related story: eBay customers must reset passwords

Two months ago, cybercriminals got a hold of eBay employee credentials and silently slipped into the company's computer network. They stole a database full of user information: customer names, account passwords, email addresses, physical addresses, phone numbers and birth dates.

It's valuable information that can be used to scam people and dupe them into giving up financial details.

The good news for eBay customers: The passwords were encrypted with a technique called hashing, which makes them extremely difficult to decipher. Still, eBay is asking all users to change their passwords.

Watch a hacker steal encrypted passwords
Watch a hacker steal encrypted passwords

Katherine Leckrone is an occasional eBay user who thinks the website's notice -- which was eventually pulled down -- is not enough. Not everyone visits eBay every day.

"The failure of eBay to be my source of information on this event gives me an impression that they are trying to skirt accountability or keep this event somewhat quiet," she said. "Being forthcoming and transparent generally garners better customer confidence."

Cody Bernardy of Seattle thought it especially strange that eBay didn't reach out, especially because he thinks of himself as "a power seller" of computer equipment.

"It's kind of disappointing actually, considering I sell items worth $500+ and that I pay 20% of my profits to them," he wrote. "It should have been a quick response, especially since people solely depend on eBay for a revenue."

This half-hearted approach by companies is nothing new. There is no nationwide law forcing companies to notify customers of data breaches by hackers. Most companies are vague about the extent of the damage and don't say anything to customers until much later.

Related story: AOL hack causes zombie spam

For instance, hackers broke into AOL (AOL) and took "a significant number" of customer email addresses, passwords, contact lists, postal addresses and answers to security questions. But the company stayed quiet about how many of its estimated 120 million customers were actually affected. And customers complained about receiving spam from AOL accounts for weeks until the company revealed anything.

Manesh Dadlani, another eBay user in New York City, complained about the lack of communication and said it "feels like they don't have a grasp of the situation."

CNNMoney Sponsors