Customer passwords, information exposed in eBay hacking attack
Hackers hit e-commerce firm, but credit card data safe, company says
E-commerce company eBay has urged users to change their passwords after a cyberattack on its database that contained encrypted passwords, physical addresses and phone numbers.
The company said client identity information including e-mails, addresses and birthdays was stolen in a hacking attack between late February and early March.
The company said it found no evidence of any unauthorised access to financial or credit card information, which is stored separately in encrypted formats.
EBay shares fell as much as 3.2 per cent in yesterday's morning trading in New York after the latest high-profile hacking attack on a US company.
"For the time being, we cannot comment on the specific number of accounts impacted," eBay spokeswoman Kari Ramirez said. "However, we believe there may be a large number of accounts involved and we are asking all eBay users to change their passwords."
EBay is asking users to change their passwords on its own service and on any other site where that password is used. An eBay spokeswoman said the attack did not affect data from PayPal, the finance and payments unit of the company, noting that PayPal data was stored separately.
Potentially affecting eBay's 128 million active users globally, the attack could be one of the largest affecting a retailer, and comes just months after retail giant Target disclosed a breach that could affect more than 100 million customers.
The company said it detected "compromised employee login credentials" about two weeks ago and began an investigation.
"Cyberattackers compromised a small number of employee login credentials, allowing unauthorised access to eBay's corporate network," the company said. The announcement came amid some confusion about the breach. The company appeared to post a statement, then removed it before issuing a news release, said London-based security consultant Graham Cluley.
"EBay's handling of this incident so far been a bit slipshod with its seemingly accidental public leak earlier today," Cluley wrote in a blog post. "Let's hope the rest of the company's response to this security incident runs a little smoother."
Cluley said users should update with a hard-to-crack password following the breach.
"Clearly eBay is concerned that the passwords in the compromise database - albeit encrypted - could easily be decrypted and fall into the hands of malicious attackers," he said.
"Furthermore, although financial information may not have been compromised, it sounds as if other personal identifiable information has been exposed as well."
Target has been dealing with the fallout from its massive data breach since the news was disclosed in December.
Earlier this month, Target chief executive Gregg Steinhafel announced he was stepping down. In its fourth-quarter report, Target booked a US$17 million net charge for the breach, but warned it could not estimate future costs stemming from customer losses and expenses.
A survey released yesterday by the security firm Trustwave said it had identified 691 breaches across 24 countries in 2013.
Agence France-Presse, Reuters, Bloomberg