bit-tech.net

eBay coughs to major data breach

eBay coughs to major data breach

eBay has admitted that its systems have been compromised and customer account details, including 'encrypted' passwords, stolen by attackers unknown.

Online auction giant eBay has coughed to a major security breach, in which pilfered staff credentials have been used to exfiltrate customer data from its servers - including names, email address and what it describes as 'encrypted' passwords.

The company, which owns payment processing specialist PayPal, claims that the attack took place when ne'er-do-wells as-yet unknown used 'a small number of employee log-in credentials' to gain access to eBay's corporate network. The attack took place between late February and early March, but it was only two weeks ago that the company noticed the intrusion. Since its discovery, the company has been analysing its system and has come to the conclusion that user data was, indeed, downloaded.

'The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth,' the company has confirmed in a statement to press, meaning the attackers have a lot of what they would need for identity theft or other forms of fraud. 'However, the database did not contain financial information or other confidential personal information.'

While eBay describes the passwords in the database as 'encrypted,' it has not confirmed yet whether it is referring to reversible encryption - a terrible way to store passwords - or non-reversible salted hashes, the industry-standard means of storing password information for later validation. If it's the latter, only users with already-weak passwords need be concerned by their theft; if the former, eBay's user base could be in considerable peril.

The attack is not believed to have resulted in the loss of any PayPal account details, but those who have linked their PayPal accounts to their eBay accounts for quicker check-out may be at risk of financial loss due to the attack; likewise those who share the same password and email address between the two services.

Anyone with an eBay account, active or otherwise, is advised to reset its password now.

2 Comments

Discuss in the forums Reply
mi1ez 22nd May 2014, 23:43 Quote
Why take 2 weeks before telling people to change passwords?! Tell people there's been a possible intrusion, recommend a password change while investigating!
SinxarKnights 23rd May 2014, 11:10 Quote
Quote:
Originally Posted by mi1ez
Why take 2 weeks before telling people to change passwords?! Tell people there's been a possible intrusion, recommend a password change while investigating!

It has already been 2 months, what is another 2 weeks I guess?
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums