Earlier today, we learned details of the latest cyber attack to affect a major online retailer when eBay reported that a database containing encrypted passwords and other non-financial data had been compromised.
The company is asking its users — all 128 million of them — to change their passwords as a precautionary measure, joining others who have recently been required to issue large-scale password resets including Yahoo, AOL and Evernote. EBay says extensive network tests have so far found no evidence of any unauthorized activity for users or unauthorized access to financial or credit card information (which is stored separately).
As we have seen in other recent incidents, eBay says cyberattackers acquired a small number of employee log-in credentials, giving them access to eBay’s corporate network. The database was apparently compromised between late February and early March and included eBay customer names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth. The break-in was first detected about two weeks ago, but the announcement was delayed until eBay could fully investigate what information had been accessed.
“Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers,” eBay said in a statement.
The company emphasized it has no evidence of compromises to personal or financial information for users of PayPal, which eBay owns, since PayPal data is stored separately on another secure network.
In what is becoming a common refrain after this type of breach, the company also recommends users change their passwords on any sites that use the same password as eBay. In general, using the same password across multiple sites is a security no-no because of the risk of incidents like today’s.
[ photo courtesy of eBay Inc. ]