It seems that someone at eBay let the cat out of the bag earlier today, pre-releasing advice to users to change their passwords before the rest of the company was ready to make an announcement.
Well, now the company *has* made an official announcement.
Later today, eBay Inc. will be asking all eBay users to change their passwords due to a cyber attack that compromised an eBay database containing encrypted eBay passwords and other non-financial information. eBay will notify its user base directly within the next 24 hours with more details.
Extensive forensic research has shown no evidence of unauthorized access or compromise to personal or financial information for PayPal customers. PayPal customer and financial data is encrypted and stored separately, and PayPal never shares financial information with merchants, including eBay.
In addition to asking users to reset passwords, eBay Inc. said it will also encourage any eBay user who used the same password on other sites to change those, too.
We will update the PayPal Forward blog and eBay Inc blog with more details later today.
More information has been provided in an official news release from eBay:
Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.
The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.
Clearly eBay is concerned that the passwords in the compromise database – albeit encrypted – could easily be cracked or decrypted, and fall into the hands of malicious attackers.
Furthermore, although financial information may not have been compromised it sounds as if other personal identifiable information has been exposed as well.
Of course, if you are changing your eBay password ensure that you choose a strong, hard-to-crack password, and not the same password as one you are using anywhere else on the internet.
eBay’s handling of this incident so far been a bit slip-shod with its seemingly accidental public leak earlier today. Let’s hope the rest of the company’s response to this security incident runs a little smoother.
How to change your eBay password
- Log into your eBay account
- Click on your name in the top left corner, and select Account Settings
- Now click “Personal Information”. You should see an option to “edit” your password.
- You will make sure you’re not using the same password anywhere else, won’t you? Good.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.