The latest breach of online marketplace eBay’s network enabled the hackers gain access to the personal data of 145 million customers. On Wednesday, the company urged users to change their passwords after the biggest-ever “cyberattack” on a database with encrypted passwords and non-financial data.
As of the end of their first quarter, the company has 145 million active buyers.
According to the statement issued by Ebay, the breach, detected two weeks ago, didn’t provide the hackers access to customers’ financial information. But it definitely affected a database containing encrypted passwords as well as name of the customer, home addresses, email addresses, phone numbers and dates of birth which were not in encrypted form.
The company’s payment system’s PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.
EBay contacted the Federal Bureau of Investigation’s San Francisco office as well as an outside computer forensics firm. Hackers are assumed to have retrieved eBay databases by using the accounts of company employees as long ago as February and early March.
The organisation has 128million active users and accounted for £126billion worth of commerce in 2013.
A statement from the firm, which is based in San Jose, California, said: ‘Working with law enforcement and security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.
‘Information security and customer data protection are of paramount importance to eBay Inc, and eBay regrets any inconvenience or concern that this password reset may cause our customers.
“We all know that given enough time hackers can crack some encrypted password files,” said Alan Woodward, an independent security consultant.
“The slightly worrying aspect of this is that the hackers have a nice neat list of personal information, which can be used to steal identities or even help them get around other systems though password reset scams.”
“The scope for damage is absolutely huge and could be the biggest hack of all time, given the number of users eBay has,” said Rik Ferguson, global vice president of security research at security software firm Trend Micro.
The password reset process will be initiated by email as well as on-site as a precaution, regardless of the stolen passwords being encrypted and showing no evidence of being compromised.
Shoppers who use the same password on other sites are encouraged to change those passwords too.
“It’s important that people listen to eBay and, when notified by email, change their password, as well as updating any other site which uses the same log-in credentials,” said Chris Boyd, a malware intelligence analyst at security firm Malwarebytes.