Auction site eBay is asking all 233m usersto change their passwords following a”cyber attack” that saw their names, email and postal addresses, phone numbers and dates of birth fall into the hands of hackers.
Online auction site eBay is telling all 233mof its users to change their passwords following a “cyber attack” which compromised a database of account information.
Names, email addresses, home address, phone numbers and dates of birth of all users have been stolen by hackers, the company admits.
But it reassured users in ablog posttodaythat no financial data was accessed and that all credit card information is stored separately in an encrypted format.
“Our customers are our highest priority; and to ensure they continue to have a safe, secure and trusted experience on eBay, we will be asking all eBay users to change their passwords,” the company told the Telegraph this afternoon.
It is thought that hackers managed to access some eBay employee log-ins which gave access to the company’s corporate network. From there the attackers were able to access the database containing users’ information and steal the data.
The company said that it is “aggressively investigating the matter” along with law enforcement agencies and will be using the “best forensic tools”.
“The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and dateof birth,” said the company.
“However, the database did not contain financial information or other confidential personal information.
“Information security and customer data protection are of paramount importance toeBay Inc., and eBay regrets any inconvenience or concern that this password reset may cause our customers.We know our customers trust us with theirinformation, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace.
“We believe we have shut down unauthorized access to our site and have put additional measures in place to enhance our security.
“It is not yet clear why there was such a long delay between the attack and users being informed, but eBay says that it first discovered the attack “earlier in May”.
The company will be sending an email to each user today to notify them of the data breach and ask them to change their password. They will also be advised to change their log-in on any other websites if they used the same password there.
The news of the attack was initially leakedwhen the PayPal blog this morning briefly posted a message with the headline”eBay, Inc. to Ask All eBay users to Change Passwords.” but without any other content other than the words”placeholder text”. It quickly disappeared, leaving users in limbo until a full post explaining the situation appeared on theeBay blog.
Chris Boyd, malware intelligence analyst at security firm Malwarebytes, said: “The company says that access to corporate servers was gained when a small number of employees were compromised. Whilst it’s impossible to say for sure until more detail emerges, this could be achieved as the result of a targeted ‘watering hole’ compromise or someone falling victim to spear phishing or a another form of social engineering. These types of attacks aim toget inside pre-identified targets such as companies and other high-value institutions.”
“It’s important that people listen to eBay and, when notified by email, change their password, as well as updating any other site which uses the same log-in credentials.”