Online auction giant eBay has coughed to a major security breach, in which pilfered staff credentials have been used to exfiltrate customer data from its servers - including names, email address and what it describes as 'encrypted' passwords.
The company, which owns payment processing specialist PayPal, claims that the attack took place when ne'er-do-wells as-yet unknown used 'a small number of employee log-in credentials
' to gain access to eBay's corporate network. The attack took place between late February and early March, but it was only two weeks ago that the company noticed the intrusion. Since its discovery, the company has been analysing its system and has come to the conclusion that user data was, indeed, downloaded.
'The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth,
' the company has confirmed in a statement to press, meaning the attackers have a lot of what they would need for identity theft or other forms of fraud. 'However, the database did not contain financial information or other confidential personal information.
While eBay describes the passwords in the database as 'encrypted,' it has not confirmed yet whether it is referring to reversible encryption - a terrible way to store passwords - or non-reversible salted hashes, the industry-standard means of storing password information for later validation. If it's the latter, only users with already-weak passwords need be concerned by their theft; if the former, eBay's user base could be in considerable peril.
The attack is not believed to have resulted in the loss of any PayPal account details, but those who have linked their PayPal accounts to their eBay accounts for quicker check-out may be at risk of financial loss due to the attack; likewise those who share the same password and email address between the two services.
Anyone with an eBay account, active or otherwise, is advised to reset its password now