eBay urges users to reset passwords

eBay is taking action after being targeted by hackers

eBay is taking action after being targeted by hackers

First published in News

E-commerce giant eBay has told all its users to change their passwords in the wake of a cyber attack on the popular online marketplace.

In a statement on the company's website, the US-based business said they were asking users to reset their passwords after an attack "compromised a database containing encrypted passwords and other non-financial data".

The site, which has more than 14 million active users in the UK, was quick to say that it believes no unauthorised access was gained to personal data, but that a password reset was the best practice to help ensure security.

"Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorised access to eBay's corporate network," said the statement.

"Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers. Information security and customer data protection are of paramount importance to eBay Inc, and eBay regrets any inconvenience or concern that this password reset may cause our customers.

"We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace."

eBay said that the database was breached at some point in late February and early March, with access gained to personal customer information including password, address and date of birth. However, the company says that no financial information has been compromised as this data is stored on a separate database under a different encryption.

"The compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company's announcement today," said the statement.

"The company said it has seen no indication of increased fraudulent account activity on eBay. The company also said it has no evidence of unauthorised access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted."

The internet is still recovering from the Heartbleed bug, a flaw in the OpenSSL encryption on computers that protects user information when someone is online.

The flaw had been present for two years undetected, and offered hackers a way into personal accounts across the web. UK parental advice site Mumsnet was the first to admit they had been a victim of the bug. Fixes, or "patches", have since been applied across the web as sites recover from the bug.

A spokesman for eBay said: "Our customers are our highest priority; and to ensure they continue to have a safe, secure and trusted experience on eBay, we will be asking all eBay users to change their passwords. Recently, our company discovered a cyberattack on our corporate information network which compromised a database containing eBay user passwords.

"There is no evidence that any financial information was accessed or compromised; however we are taking every precaution to protect our customers."

Michela Menting, cybersecurity practice director at technology market experts ABI Research, said that eBay's security set-up and response should make users feel reassured.

"It's early days yet but eBay appears to be going about it the right way. It seems that the attackers managed to gain employee credentials through social engineering - a difficult type of fraud that is tricky to avoid completely, even with the best defences in place. Consequently incident response mechanisms have to be iron clad in order to minimise fall-out. It also appears that eBay have effectively siloed databases for financial info from customer information. The fact that passwords were encrypted is also reassuring.

"Finally I think their timely public announcement - two weeks after discovery - helps to reassure not only public opinion, but also their own brand reputation. Transparency when dealing with incident response for an event that has affected customers, in this case millions, is highly commendable and helps to keep a higher level of trust than if the news were revealed by another source - it means that eBay takes security seriously."

However Ms Menting believes that the online marketplace is not completely clear of scrutiny just yet, with the publicity of this attack likely to draw closer inspection of eBay's existing security procedures.

"It remains to be seen whether the current defence and response mechanisms in place will stand up to scrutiny now that the attack has been publicised," she said.

"Having a plan in place does not always mean all procedures were viable or solid. If they crumble under the dissection by security professionals, we may yet see another CEO resign. So far however, it seems eBay has matters well in hand."

Comments (5)

Please log in to enable comment sorting

6:03pm Wed 21 May 14

Independentvoter says...

In the meantime - whilst our security is compromised on e-bay - Lets support our City Centre traders !
In the meantime - whilst our security is compromised on e-bay - Lets support our City Centre traders ! Independentvoter
  • Score: -1

11:02pm Wed 21 May 14

Mike0408 says...

they are URGING people to change their password, they are not doing their best job are they??, they haven't even sent emails out to warn people and NOTHING on their home page.

if they think their security was compromised and their user at risk, why did they not reset all users passwords to something random OR suspend everyone's account and email them about it.

or when they log in with original account details have a WARNING come up urging them to change it??
they are URGING people to change their password, they are not doing their best job are they??, they haven't even sent emails out to warn people and NOTHING on their home page. if they think their security was compromised and their user at risk, why did they not reset all users passwords to something random OR suspend everyone's account and email them about it. or when they log in with original account details have a WARNING come up urging them to change it?? Mike0408
  • Score: 3

8:03am Thu 22 May 14

Mervyn James says...

Nor a problem for me, I never use online to buy anything, I was told day one nothing is safe. The recent heartbleed virus snatched 70% of everyone's personal details online, most still don't change entirely passwords and pin numbers etc,stupid !
Nor a problem for me, I never use online to buy anything, I was told day one nothing is safe. The recent heartbleed virus snatched 70% of everyone's personal details online, most still don't change entirely passwords and pin numbers etc,stupid ! Mervyn James
  • Score: 0

12:46pm Thu 22 May 14

Mike0408 says...

Mervyn James wrote:
Nor a problem for me, I never use online to buy anything, I was told day one nothing is safe. The recent heartbleed virus snatched 70% of everyone's personal details online, most still don't change entirely passwords and pin numbers etc,stupid !
well allot of us HAVE TO have our personal details online, for example the JOB CENTER demands you to sign up to universal job match and upload a C.V to the site so employers can contact you.
if you fail to do this they sanction you, which means they wont pay you anything and you have to apply for hardship payments and live of food banks as hardship payments only give you 40% of your job seekers (unless you have a child or expecting a child then its 80%).

also when you have a bank account, all you details are online as they put it all online.

pretty much everyone has got their details online and they cant help but have it online.
[quote][p][bold]Mervyn James[/bold] wrote: Nor a problem for me, I never use online to buy anything, I was told day one nothing is safe. The recent heartbleed virus snatched 70% of everyone's personal details online, most still don't change entirely passwords and pin numbers etc,stupid ![/p][/quote]well allot of us HAVE TO have our personal details online, for example the JOB CENTER demands you to sign up to universal job match and upload a C.V to the site so employers can contact you. if you fail to do this they sanction you, which means they wont pay you anything and you have to apply for hardship payments and live of food banks as hardship payments only give you 40% of your job seekers (unless you have a child or expecting a child then its 80%). also when you have a bank account, all you details are online as they put it all online. pretty much everyone has got their details online and they cant help but have it online. Mike0408
  • Score: 0

7:19am Fri 23 May 14

bravoscar says...

Oh no please don't use my eBay account and buy stuff and send it to my address that would be a nightmare?
Oh no please don't use my eBay account and buy stuff and send it to my address that would be a nightmare? bravoscar
  • Score: 0

Comments are closed on this article.

Send us your news, pictures and videos

Most read stories

Local Info

Enter your postcode, town or place name

About cookies

We want you to enjoy your visit to our website. That's why we use cookies to enhance your experience. By staying on our website you agree to our use of cookies. Find out more about the cookies we use.

I agree