Massive breach at eBay, which urges password change (Update 2)

May 21, 2014 by Sophie Estienne
eBay said cyberattackers broke into its database with customer names, passwords and other personal data earlier this year

US online giant eBay said Wednesday cyberattackers broke into its database containing customer passwords and other personal data in what could be one of the biggest breaches of its kind.

The California company said it was notifying its customers, urging them to change passwords to protect themselves.

An eBay statement said the database was compromised between late February and early March and "included eBay customers' name, encrypted password, email address, physical address, phone number and date of birth."

But it added that it "did not contain financial information or other confidential personal information."

An eBay spokeswoman said the attack did not affect data from PayPal, the finance and payments unit of the company, noting that such details are stored separately.

"For the time being, we cannot comment on the specific number of accounts impacted," spokeswoman Kari Ramirez said in an email.

"However, we believe there may be a large number of accounts involved and we are asking all eBay users to change their passwords."

One of largest breaches

Potentially impacting eBay's 128 million active users globally, the attack could be one of the largest targeting a retailer, and comes just months after US giant Target disclosed a breach that may have affected more than 100 million.

The company said it detected "compromised employee log-in credentials" about two weeks ago and began an investigation.

"Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network," it said in a statement.

eBay "is aggressively investigating the matter and applying the best forensics tools and practices to protect customers," it said, noting it was working with law enforcement and security experts.

"Information security and customer data protection are of paramount importance to eBay Inc, and eBay regrets any inconvenience or concern that this password reset may cause our customers," it added.

"We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace."

Crooks 'wandered around'

Paul Ducklin at the British security firm Sophos said the incident appeared to be a major security breach.

"It seems that the crooks didn't just prise loose the database file with some kind of database command injection," he said in a blog post.

"Crooks had broken in and wandered around."

The announcement came amid some confusion. The company appeared to post an initial statement, then removed it before issuing a news release, said London-based security consultant Graham Cluley.

"Let's hope the rest of the company's response to this security incident runs a little smoother," he said in a blog post.

Simon Crosby at the California-based security firm Bromium said the eBay and Target attacks are similar to other intrusions where a single device can be compromised, allowing hackers access to the entire network.

"The quickest way into your cloud is through a compromised client, a PC or another device where a user has full credentials," he told AFP.

"That is a lot easier than trying to break into the cloud," said Crosby, whose firm sells software that isolates devices from the networks.

Target has been dealing with the fallout from its massive data breach since news was disclosed in December.

Earlier this month, chief executive Gregg Steinhafel announced he was stepping down.

In its fourth-quarter report, Target booked a $17 million net charge for the breach, but warned it could not estimate future costs that might stem from claims for customer losses and payments for civil litigation and investigations.

A survey released Wednesday by the security firm Trustwave said it identified 691 breaches across 24 countries in 2013, with the number of incidents up 53.6 percent over 2012.

"In the majority of cases we investigated, attackers targeted payment card data," the report said.

"A global, thriving underground provides for quick monetization of stolen data—no matter where the victim or attacker resides. As long as criminals can make money by stealing data and selling that sensitive information on the black market, we don't expect data compromises to subside."

Explore further: Affinity Gaming reports payment system was hacked

add to favorites email to friend print save as pdf

Related Stories

Many in US believe the were hit by Heartbleed

Apr 30, 2014

Many Americans scrambled to protect their personal information online after learning of the Heartbleed Internet flaw, and some believe their data was stolen, a survey showed Wednesday.

What you need to know about the Heartbleed bug

Apr 09, 2014

Millions of passwords, credit card numbers and other personal information may be at risk as a result of a major breakdown in Internet security revealed earlier this week.

Recommended for you

PIN customers can avoid heat of thief's phone attachment

7 hours ago

Engineer Mark Rober has some words of advice in guarding the safety of your PIN. His advice comes in the form of a video where he demonstrates that a thief can steal a PIN by using a thermal imaging attachment ...

Protecting privacy also means preserving democracy

11 hours ago

What impact does the proliferation of new mobile technologies have? How does the sharing of personal data over the Internet threaten our society? Interview with Professor Jean-Pierre Hubaux, a specialist ...

US cyber-warriors battling Islamic State on Twitter

Aug 31, 2014

The United States has launched a social media offensive against the Islamic State and Al-Qaeda, setting out to win the war of ideas by ridiculing the militants with a mixture of blunt language and sarcasm.

What metadata does the government want about you?

Aug 28, 2014

With the leaking of a discussion paper on telecommunications data retention, we are at last starting to get some clarity as to just what metadata the Abbott government is likely to ask telecommunications ...

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

Lex Talonis
not rated yet May 22, 2014
Taking months to get around to notify anyone....
alfie_null
not rated yet May 22, 2014
In hindsight, there's probably all sorts of stuff they should have been doing that would have prevented this. Two factor authentication. Separation of duties. Etc. Stuff we all know are good practices but don't employ. Security measures are too often reactive rather than proactive.