on
tutorial
- Get link
- Other Apps
eBay is to force users to change their passwords following a cyber-attack that compromised one of its databases.
The US firm said the database was hacked between late February and early March, and had contained encrypted passwords and other non-financial data.
The auction site added that it had no evidence of there being unauthorised activity on its members' accounts.
However, it said that changing the passwords was "best practice and will help enhance security for eBay users".
The California-based company has 128 million active users and accounted for $212bn (£126bn) worth of commerce on its various marketplaces and other services in 2013.
A post on eBay's corporate site said that cyber-attackers accessed the information after obtaining "a small number of employee log-in credentials", allowing them to access its systems - something it only became aware of a fortnight ago.
"The database... included eBay customers' name, encrypted password, email address, physical address, phone number and date of birth," it said.
"However, the database did not contain financial information or other confidential personal information.
"Extensive forensics subsequently identified the compromised eBay database, resulting in the company's announcement today."
Although the firm also owns the PayPal money transfer service, it said that the division's data was stored separately, encrypted and that there was no evidence that it had been accessed.
It added that any members who used the same login details used on eBay for other sites should also update them.
eBay has not provided any information about the kind of encryption it used.
One expert said there was still a concern that the hackers might be able to make use of their haul.
"We all know that given enough time hackers can crack some encrypted password files," said Alan Woodward, an independent security consultant.
"The slightly worrying aspect of this is that the hackers have a nice neat list of personal information, which can be used to steal identities or even help them get around other systems though password reset scams."
If you have an eBay account, it's time to change your password. The company released a statement today saying their internal and customer databases were compromised earlier this year, and starting today they'll prompt everyone to change their passwords.
Attackers made off with names, addresses, email addresses, phone numbers, birth dates, and of course, encrypted passwords. eBay explained that financial info like credit card numbers and other sensitive data (like PayPal accounts) are kept in a separate encrypted database which wasn't compromised. They also said they've found no evidence of unauthorized access or activity by registered eBay users—which is code for "we don't think anyone's used these passwords yet." According to the statement, intruders compromised employee accounts first, and used their access to get the data they really wanted. They discovered the breach about two weeks ago, but the actual attack took place back in late February and early March.
To change your eBay password, log into your account, then click your name in the upper left corner. Select Account Settings (or click here to go to it directly.) Click "Personal Information" on the left side of the page, and "edit" next to your password.
Comments