Better late than never – maybe.
Three months after a massive cyberattack on its network, online buying platform eBay has told 145 million users that they should change their passwords.
The attack happened between late February and early March. The attackers made off with email addresses, encrypted passwords, birth dates, mailing addresses and other data.
A report by Reuters Canada says the stolen data did not include financial information. eBay has said that there has been no evidence of unauthorized access to financial or credit card information at its PayPal subsidiary. PayPal stores and encrypts its data separately.
Security experts told EBay customers they should be on the alert for fraud, especially if they use the same passwords for other accounts.
“This is not a breach that only hurts EBay. This is a breach that hurts all websites,” said Michael Coates, director of product security with Shape Security. Coates said companies typically ask users to change passwords only if they think there’s a reasonable chance attackers could unscramble encrypted passwords.
Coates said that once attackers unscramble the passwords they could try to log on to thousands of other popular services, including Facebook, Twitter, popular email services and online banking sites, using automated tools.
eBay spokeswoman Amanda Miller said the company was requesting the password change “out of an abundance of caution” and that eBay uses “sophisticated,” proprietary hashing and salting technology to protect the passwords.
Amit Yoran, senior vice president of EMC Corp’s RSA security division, said that cyber criminals sometimes exploit data from multiple breaches, combining it into comprehensive portfolios that fraudsters can then use for scams.
“We are seeing a level of sophistication in the cybercrime world where they are able to pull data from multiple exploits to create stronger profiles of individuals,” Yoran said. “The more detailed information fraudsters have, the better their ability to successfully perpetrate fraud.”
eBay says it is investigating the breach with the help of law enforcement agencies. The company has withheld comment on the number of accounts affected, but did say that it is likely a large number.
eBay says it hasn’t seen any sign of increased fraudulent activity on eBay, and that there’s no evidence its PayPal online payment service has been breached.
The hackers managed to get hold of login credentials of a small number of eBay employees, the company said. This allowed them to access eBay’s corporate network.
The breach was discovered earlier this month, and eBay brought in security experts and law enforcement to investigate. “We worked aggressively and as quickly as possible to insure accurate and thorough disclosure of the nature and extent of the compromise,” Miller said.
Research experts say there isn’t enough information available to assess whether eBay has been negligent. “The real key question going forward will be if any money has been stolen, or any unauthorized activity been performed,” Wedbush Securities analyst Gil Luria said. “As long as this is not the case, this thing will come and go and will not be an issue for eBay.”
Experts say virtually every major corporation and government agency has been hacked at least once. Consensus opinion is that it’s pretty much impossible to keep hackers from getting into networks using social engineering methods, such as sending phishing emails that lure targets to tainted websites or entice them to click on malicious links. In some cases they infect websites frequented by their targets, such as the sandwich shop of a local restaurant or professional organizations.
This isn’t the first time eBay has been hacked. In February, the Syrian Electronic Army, a hacker group reputed to have ties to the Syrian government, broke in and defaced Web sites belonging to PayPal UK as well as eBay itself.