eBay Hacked, Users Urged to Change Passwords


This morning, news spread that eBay had been the victim of a cyber attack – though, the exact nature of that attack is still something of a mystery. One thing is clear: eBay account holders will soon be urged to change their passwords.

The news of the eBay hack was first announced by the company’s subsidiary, PayPal. The hack apparently didn’t compromise PayPal’s security at all – so it’s a bit strange that the news of the eBay hack was posted on PayPal’s blog, but as of this writing hasn’t been mentioned on eBay’s main site at all.

According to the post, the hack “compromised an eBay database containing encrypted eBay passwords and other non-financial information.”

The post continues:

“Extensive forensic research has shown no evidence of unauthorized access or compromise to personal or financial information for PayPal customers. PayPal customer and financial data is encrypted and stored separately, and PayPal never shares financial information with merchants, including eBay.”

While the actual main site itself still lacks any information on the hack, eBay’s official blog has been updated to provide some more detail about what happened. Apparently, the hack occurred a few months ago, and was first detected two weeks ago:

“Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.

The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.”

Most importantly, however, eBay says that it “has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats.” Still, the company says that a password change is in order, so you’d better jump on that if you have an eBay account.

Moreover, even though PayPal has given the all-clear regarding its own security, you may want to change your password there, too, just in case. After the big password security scare of Heartbleed, it’s a good idea to make sure that all your passwords are as secure and unique as possible. Make it tough for those hackers!

[eBay Blog, PayPal Blog]