eBay revealed that attackers “compromised a database containing encrypted passwords and other non-financial data” between late February and early March. The database included names, e-mail addresses, home addresses, phone numbers, and dates of birth. While there is “no evidence of the compromise resulting in unauthorized activity for eBay users,” the company is recommending that users change their passwords.
The attackers were able to log in to eBay employee accounts.”Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network,” the eBay announcement said. “Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.”
eBay detected the unauthorized employee logins two weeks ago, and “[e]xtensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.” Financial and credit card information was apparently not affected as it is “stored separately in encrypted formats.” PayPal data is also stored separately.
eBay will notify users of the problem and ask them to change their passwords later today. The company did not say what method it uses to obscure passwords.
eBay users should be wary of anyone contacting them claiming to be eBay or any other company. They should also anticipate an increase in phishing e-mails. That means they should avoid clicking links in e-mail or discussing anything sensitive over the phone. People who use their eBay password on other sites or services should immediately change it. Adapted from arstechnica.com