Three US states - Connecticut, Florida and Illinois – have launched a joint investigation to scrutinise eBay's absence of preventative measures against its widespread security breach.
While the US-based firm has detected neither the culprits nor the nature of the attack yet, its delay in confronting the fallout and lack of sufficient password encryption have also been called into question by the UK's information commissioner and European data authorities. Concerns have been raised, since the stolen information could be sold online and used in identify theft.
The feature, which would force users to change their passwords when they next log on to the site, should have been live in all countries where eBay is used by the end of Wednesday.
However, the UK version of the eBay homepage now carries a notice alerting users to the importance of resetting their passwords on or after 21 May "to protect the security and privacy" of their customers. Users are currently reporting problems with accessing the reset site, which eBay claims is due to high levels of traffic.
The mass cyber-attack, which occurred between February and March, left millions of users' passwords and non-financial data exposed. The US-based firm revealed that attackers had been able to access employees' login credentials, as well as up to 145 million customers' phone numbers, dates of birth, postal and email addresses and account passwords. User details of PayPal, the e-commerce subsidiary of eBay, had fortunately not been compromised.
Of eBay's slow reaction, Alan Woodward, an independent security consultant, told the BBC, that the company "shouldn't take this long to have something in place that forces users to change their passwords, and it should have let people know what was happening."
"It doesn't take much time to send an email out for goodness sake," he added.