Huge cyberattack compromises 145 million eBay accounts

Better late than never – maybe.

Three months after a massive cyberattack on its network, online buying platform eBay has told 145 million users that they should change their passwords.

The attack happened between late February and early March. The attackers made off with email addresses, encrypted passwords, birth dates, mailing addresses and other data.

A report by Reuters Canada says the stolen data did not include financial information. eBay has said that there has been no evidence of unauthorized access to financial or credit card information at its PayPal subsidiary. PayPal stores and encrypts its data separately.

Security experts told EBay customers they should be on the alert for fraud, especially if they use the same passwords for other accounts.

“This is not a breach that only hurts EBay. This is a breach that hurts all websites,” said Michael Coates, director of product security with Shape Security. Coates said companies typically ask users to change passwords only if they think there’s a reasonable chance attackers could unscramble encrypted passwords.

Coates said that once attackers unscramble the passwords they could try to log on to thousands of other popular services, including Facebook, Twitter, popular email services and online banking sites, using automated tools.

eBay spokeswoman Amanda Miller said the company was requesting the password change “out of an abundance of caution” and that eBay uses “sophisticated,” proprietary hashing and salting technology to protect the passwords.

Amit Yoran, senior vice president of EMC Corp’s RSA security division, said that cyber criminals sometimes exploit data from multiple breaches, combining it into comprehensive portfolios that fraudsters can then use for scams.

“We are seeing a level of sophistication in the cybercrime world where they are able to pull data from multiple exploits to create stronger profiles of individuals,” Yoran said. “The more detailed information fraudsters have, the better their ability to successfully perpetrate fraud.”

eBay says it is investigating the breach with the help of law enforcement agencies. The company has withheld comment on the number of accounts affected, but did say that it is likely a large number.

eBay says it hasn’t seen any sign of increased fraudulent activity on eBay, and that there’s no evidence its PayPal online payment service has been breached.

The hackers managed to get hold of login credentials of a small number of eBay employees, the company said. This allowed them to access eBay’s corporate network.

The breach was discovered earlier this month, and eBay brought in security experts and law enforcement to investigate. “We worked aggressively and as quickly as possible to insure accurate and thorough disclosure of the nature and extent of the compromise,” Miller said.

Research experts say there isn’t enough information available to assess whether eBay has been negligent. “The real key question going forward will be if any money has been stolen, or any unauthorized activity been performed,” Wedbush Securities analyst Gil Luria said. “As long as this is not the case, this thing will come and go and will not be an issue for eBay.”

Experts say virtually every major corporation and government agency has been hacked at least once. Consensus opinion is that it’s pretty much impossible to keep hackers from getting into networks using social engineering methods, such as sending phishing emails that lure targets to tainted websites or entice them to click on malicious links. In some cases they infect websites frequented by their targets, such as the sandwich shop of a local restaurant or professional organizations.

This isn’t the first time eBay has been hacked. In February, the Syrian Electronic Army, a hacker group reputed to have ties to the Syrian government, broke in and defaced Web sites belonging to PayPal UK as well as eBay itself.

Andrew Brooks
Andrew Brooks
Andrew Brooks is managing editor of IT World Canada. He has been a technology journalist and editor for 20 years, including stints at Technology in Government, Computing Canada and other publications.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web