Following an odd blog post which appeared overnight and then was quickly taken down advising eBay users to reset their passwords, eBay has now published its official statement informing its users about a cyberattack that compromised a database containing encrypted passwords and other non-financial data. Ebay says it currently has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence that the cybercriminals were able to access users’ financial info or credit card details, which is stored separately from the password data, and is also encrypted.
The company suggests that users still change their passwords as a precaution.
“Information security and customer data protection are of paramount importance to eBay Inc., and eBay regrets any inconvenience or concern that this password reset may cause our customers,” the company said in a statement released this morning. “We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace.”
More worryingly, the company said the attack compromised a “small number of employee log-in credentials,” as well, allowing the attackers unauthorized access to eBay’s corporate network. The company is now working with law enforcement and leading security experts to further investigate, it noted.
The database was not compromised recently, however. Instead, the attack took place between late February and early March. eBay customers’ names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth were stolen. Though the passwords themselves can be reset this other personal data could aid in identity theft, if that was the criminals’ intention.
eBay, though, says it has not seen unauthorized access from these users’ accounts.
The company will alert users later today via email, site communications and elsewhere about this breach, and will ask users to reset their passwords at that time. If you used your eBay password on other websites as well, it’s suggested you change those, too.
“A Large Number Involved”
We asked eBay for more details on the number of accounts affected by this breach, and the company declined to say.
However, a spokesperson did inform us that “we believe there may be a large number of accounts involved and we are asking all eBay users to change their passwords.”
The company also declined to provide more information about the nature of the attack, potential suspects and how they were first alerted to the breach, saying only that they are working with law enforcement and security experts who are actively investigating.
Just before 5 AM ET today, TechCrunch was tipped that a post about this password breach briefly appeared on eBay’s website before oddly disappearing. A number of other websites, including CNET and Engadget also received this same tip. Apparently, someone at eBay had accidentally published ahead of schedule, then took it down.
More to come.
This story is developing…