Several U.S. states, including Connecticut, Florida, and Illinois, are jointly leading an investigation into eBay’s security practices, following eBay’s reveal this week of a massive cyberattack which the company says compromised a large number of users’ personal information. Though eBay claims that financial data, which was stored separately, was not acquired during this breach, these U.S. States Attorney Generals’ offices are taking the matter seriously after a series of high-profile attacks at retailers like Target, Neiman Marcus and Michael’s have left U.S. consumers vulnerable to identity theft.
Ebay has so far not disclosed much about the cyberattack itself, declining to say how they came to realize their network had been compromised originally, or who they suspect was behind it. The company says the attack took place between late February and early March, and involved the theft of eBay customers’ names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth. An active investigation is now underway, the company says.
It’s unclear, given how little is known about the attack itself, what authority these U.S. states would have in intervening in this matter, or pursuing any sort of legal actions against eBay. But the offices have released statements indicating they’re now joining in the investigation, as a first step.
For example, Connecticut Attorney General George Jepsen urged consumers to change their eBay passwords, noting that the state had approximately 660,000 active eBay users who could have been affected. “My office will be looking into the circumstances surrounding this breach as well as the steps eBay is taking to prevent any future incidents,” he said.
In Florida, Attorney General Pam Bondi noted, “the magnitude of the reported eBay data breach could be of historic proportions,” adding that her office was joining the investigation which may have affected, in total, 145 million users.
Elsewhere, though New York Attorney General Eric Schneiderman hasn’t yet announced a formal investigation, his office is requesting that eBay provide consumers with some protection in the form of credit monitoring. “The news that eBay has discovered a security breach involving customer data is deeply concerning…Our office has asked and fully expects eBay to provide free credit monitoring services to customers impacted by this breach,” he says.
Because of the scale of the attack, eBay’s website has struggled under the load of password reset requests. Earlier this week, for instance, a number of users were seeing “high traffic volume” error messages when they reached the password reset page on eBay’s website, which prevented them from completing the process.
And yesterday, eBay announced that it will take some time for every user to receive its “reset email,” which is the email the company is planning to send out to all affected users, alerting them to the attack and asking them to change their passwords, if they hadn’t already done so.
eBay is also reminding users that its password reset email will not contain any links – and if you receive an email purporting to be from eBay with links, it’s a fake. The company continues to advise that users visit the website directly to make their password changes. Further updates regarding this attack as well as a FAQ on how to proceed are on info.ebayinc.com.