eBay is asking users to change their passwords in light of a cyberattack that compromised a database containing encrypted passwords and other data.
The company says that it has not found any evidence of the compromise causing unauthorized activity among eBay users, and no financial data has been impacted. In response to the attack, the company says it shut down unauthorized access and put additional security measures in place, though it did not say specifically what those measures are.
"Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network," according to a statement eBay posted online. "Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers."
According to the company, the compromise happened between late February and early March and was detected roughly two weeks ago. The database that was hit contained a plethora of information: customer names, encrypted passwords, email passwords, physical addresses, phone numbers, and birthdays. It did not contain financial or other confidential information, and there has been no evidence of unauthorized access or compromises related to information for PayPal users, according to eBay.
PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted, eBay noted. Likewise, the company says it has not found evidence of unauthorized access to other sites operated by eBay Marketplaces, such as StubHub, eBay Classifieds, Tradera, GMarket, GumTree, or GittiGidiyor.
This breach highlights the importance of companies placing tighter controls on how user credentials are stored and protected, says Brendan Rizzo, Technical Director for Voltage Security.
"It is unlikely the attackers would be able to use the stolen passwords, since eBay, abiding by good security practices, should have 'hashed' and 'salted' its passwords," says Rizzo. "If this was performed correctly, then users should not be concerned about their passwords being compromised. The more worrying aspect of this disclosure is that it appears that the other personally-identifiable information was left completely unprotected. This information would give the attackers almost all of the information they need to undertake fraudulent activity on the compromised user's behalf."
Two concerns stand out: One, passwords will eventually be decrypted, and two, attackers will now have access to data making it easier for them to sound legit, says Trey Ford, Global Security Strategist at Rapid7.
"Users should be wary of anyone contacting them claiming to be eBay or any other company for that matter," he says. "Expect an uptick in phishing, do not click links in email, or discuss anything over the phone. Call customer service or go directly to websites as you normally would."
eBay says it is working with law enforcement. Any users who utilize the same password on other sites as they do for eBay should change the passwords for those sites as well.
As of the end of the first quarter of 2014, eBay had 145 million active buyers.