May 21, 2014
Security Breach Discovered At eBay, Call Put Out To All Customers: Change Passwords
Peter Suciu for redOrbit.com - Your Universe Online
Online marketplace eBay said on Wednesday that users of its service should change their passwords due to a cyber-attack that may have compromised a database containing encrypted passwords and other non-financial data. The "buy-it-now" giant also announced that it had conducted an extensive test of its network, and reported that there is no evidence that this particular compromise resulted in any unauthorized activity for eBay users.
However, the company did strongly suggest users change passwords as this remains the best practice following a security breach and could help enhance security for eBay users.
"Information security and customer data protection are of paramount importance to eBay Inc., and eBay regrets any inconvenience or concern that this password reset may cause our customers," the company posted on its corporate website on Wednesday. "We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace.
"Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network," the company added. "Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers."
eBay said that its database was compromised sometime between late February and early March. At this time the cyber hackers were able to access information that may have included eBay customers' names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth.
However, eBay stressed this database did not contain financial information or other confidential personal information. The company further added that the compromised employee log-in credentials were first detected about two weeks ago.
"Extensive forensics subsequently identified the compromised eBay database, resulting in the company's announcement today," eBay added on its corporate site.
This particular breach did not reportedly result in any increased fraudulent account activity on the e-commerce site, and the company said that at the present time there is no evidence of unauthorized access or compromises to personal or financial information related to its PayPal service. In the statement, eBay said that PayPal data is stored on its own secure network, and that PayPal financial information is encrypted.
On Wednesday eBay began to notify customers via email, and asked users to change passwords.
Where this breach originated and was conducted is not clear.
"It’s unclear whether the breach is related to the Heartbleed bug that exploits a flaw in OpenSSL and leaks data all over the place. eBay said a few employee log-ins were compromised in the breach, so perhaps the hackers were able to phish their way to your information, like they did in the Target hack last year," PC World noted
As with the Target cyber-attack this one also involves a lot of data.
"It's substantial," Simon Eappariello, senior vice president of engineering at iBoss Network Security, told USA Today. "If they're going to contact all of their users to change their passwords, that's a major breach in anyone's book. That's a lot of data."
Compared to other recent security breaches experts have said that eBay acted accordingly.
"eBay responded promptly," said Greg Sterling, principal analyst at Sterling Market Research. "Unfortunately I think this is the new normal, unless or until these large internet companies, banks and retailers can repel cyber-attacks and hacking. But that seems like a long time away.
"We're all going to have to get used to changing our passwords every several months it would appear," Sterling told redOrbit.
“The eBay breach is yet another password issue like Heartbleed. It is really important that people take this seriously. Data from our recent survey shows that nine out of ten people intended to change their passwords after Heartbleed, but only 40 percent took action. This careless attitude is completely irresponsible; people have to take the initiative to protect themselves,” Ondrej Vlcek, Chief Operating Officer at anti-virus company AVAST Software, said in a statement.
“People should change their passwords every three to six months and choose complex passwords containing upper and lower case letters, numbers and symbols. Moreover, each account, especially accounts containing personal information and credit card details should have its own password. In a situation like this you really don’t want your PayPal and eBay accounts to have the same passwords,” Vlcek added.