It seems that someone at eBay let the cat out of the bag earlier today, pre-releasing advice to users to change their passwords before the rest of the company was ready to make an announcement.
Well, now the company *has* made an official announcement.
Later today, eBay Inc. will be asking all eBay users to change their passwords due to a cyber attack that compromised an eBay database containing encrypted eBay passwords and other non-financial information. eBay will notify its user base directly within the next 24 hours with more details.
Extensive forensic research has shown no evidence of unauthorized access or compromise to personal or financial information for PayPal customers. PayPal customer and financial data is encrypted and stored separately, and PayPal never shares financial information with merchants, including eBay.
In addition to asking users to reset passwords, eBay Inc. said it will also encourage any eBay user who used the same password on other sites to change those, too.
We will update the PayPal Forward blog and eBay Inc blog with more details later today.
More information has been provided in an official news release from eBay:
Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.
The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.
Clearly eBay is concerned that the passwords in the compromise database – albeit encrypted – could easily be cracked or decrypted, and fall into the hands of malicious attackers.
Furthermore, although financial information may not have been compromised it sounds as if other personal identifiable information has been exposed as well.
Of course, if you are changing your eBay password ensure that you choose a strong, hard-to-crack password, and not the same password as one you are using anywhere else on the internet.
eBay’s handling of this incident so far been a bit slip-shod with its seemingly accidental public leak earlier today. Let’s hope the rest of the company’s response to this security incident runs a little smoother.
How to change your eBay password
- Log into your eBay account
- Click on your name in the top left corner, and select Account Settings
- Now click “Personal Information”. You should see an option to “edit” your password.
- You will make sure you’re not using the same password anywhere else, won’t you? Good.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
7 comments on “eBay confirms security breach. Users asked to change passwords”
It's a bit sad that only PayPal supports 2FA and not eBay.
I use a Symantec VIP Security Card for 2FA with eBay.
ebay does support two-factor. i use the same Cryptocard token on both ebay and paypal.
This may explain the daily calls I've been getting for the past few weeks from random and invalid 800 numbers.
Well, I've just visited Ebay.co.uk log in page where I couldn't see any obvious information about this security breach.
I logged in – still no message.
I checked my Inbox – still no message.
I went to my Personal Details page – still no message.
I chose to Edit my password —— and it is only NOW that the page provides a message saying that it is advisable to change my password.
That's hardly what I would call proactively informing its users.
Has there been any specific information from eBay or anywhere else that suggests whether the hackers have got users' security questions and answers? And if they have, are the questions and answers encrypted I wonder, I presume so,
So, I enter the new password, click "Submit", and the website displays the following message:
"Sorry! We're currently experiencing technical difficulties and are unable to complete the process at this time"
Shortly thereafter I get an email saying that my password has been changed. So…er, which is it?
The way eBay has handled this entire security breach fairly screams "We're incompetent", so I probably shouldn't be surprised that they'd blow it on changing the password too.