eBay has told people to change their passwords for the online tat bazaar after its customer database was compromised.
Names, dates of birth, phone numbers, physical addresses, email addresses, and "encrypted" passwords, were copied from servers by attackers, we're told. Credit card numbers and other financial records were not touched, and are stored separately, eBay claims. The website has hundreds of millions of user accounts.
Hackers accessed the database between late February and early March after obtaining a few employees' login credentials, and then infiltrated the corporate network.
The digital break-in of staff accounts was detected about two weeks ago, and sparked a computer-forensics probe that is still ongoing. The website's investigators today revealed a database containing customer information was accessed by the hackers.
eBay reckons everyone should change their passwords as a precaution – but it hasn't uncovered any evidence of fraud linked to the breach, it claims. One assumes eBay's techies have closed the hole the attackers exploited to infiltrate its systems, and has cleared its systems of the miscreants.
In a statement, the company added:
After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.
eBay's handling of the breach notification has already created a fair bit of confusion: eBay-owned PayPal published then deleted an alert instructing users to change up their passwords this morning.
The brief item on PayPal's site, which included the line "place holder text", was pulled before the security breach was confirmed soon after in a press release. The warning was eventually restored, although PayPal is not affected by the eBay hack.
Exactly how the tat bazaar's passwords were “encrypted", and how the company was infiltrated, remain unexplained. Rik Ferguson, veep of security research at Trend Micro, poses these and other questions in a blog post here.
The exposure of encrypted passwords is bad news because it's now easy to create convincing phishing emails urging people to change their eBay passwords – although said scam emails will instead take victims to a site masquerading as eBay.com to swipe their details.
Weak passwords could also be easily cracked if the website's hashing algorithm isn't up to scratch, and woe betide anyone using the same crap password across multiple sites with the same email address. The habit of many users of using the same password on multiple sites makes this type of attack all too possible.
And the leaking of phone numbers, dates of birth, names and addresses puts many at risk of identity theft by fraudsters. The personal information could also be used to make phishing emails appear more convincing.
"Clearly eBay is concerned that the passwords in the compromised database – albeit encrypted – could easily be decrypted and fall into the hands of malicious attackers," said infosec industry veteran Graham Cluley in a blog post.
"Of course, if you are changing your eBay password ensure that you choose a strong, hard-to-crack password, and not the same password as one you are using anywhere else on the internet," he added. ®