eBay Database Breached, Forced Password Changes Loom

The online retail and auction giant eBay announced this morning that attackers compromised a database containing encrypted user-passwords and other sensitive information. The company plans to contact affected users via email and post a notification on its website later today. At some point in the near future, users will be forced to change their passwords for that service.


The company says it does not believe that there has been any unauthorized customer account activity as a result of the breach. Furthermore, eBay Inc. is claiming that user-financial data as well as PayPal information is not at risk because that data – which is also encrypted – is stored on separate, unaffected servers.

“Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network,” the company said in a statement. “Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.”

The information stored on the compromised database is said to include eBay customer names, encrypted passwords, email addresses, physical addresses, phone numbers, and dates of birth. eBay says it first discovered the compromised employee credentials two weeks ago. Some time between then and now the company claims it identified which database was affected, and is now contacting customers accordingly.

eBay account holders should receive an email notification from the company later in the day. eBay will also post notifications on its website at that time.

Users will eventually be forced to change their passwords on eBay and are encouraged to change passwords for other accounts if they are using the same passwords elsewhere. Trey Ford, a global security strategist at the security firm Rapid7, noted in an email that these passwords will eventually be decrypted, which is why it is particularly important that users change these and any shared passwords.

This is precisely why you should never share passwords. When breaches like this one occur, attackers create automated tools that enter breached user-name and password combinations into popular online services in an attempt to compromise accounts on those sites as well.

“Users should be wary of anyone contacting them claiming to be eBay or any other company for that matter,” Ford went on to note. “Expect an uptick in phishing, do not click links in email, or discuss anything over the phone.”

This is particularly important: Make sure you navigate directly to the eBay website to change your password. You should not change your password following a link from email. As this news becomes more widespread, attackers will probably begin crafting phishing emails – purporting to come from eBay and perhaps PayPal as well. These emails generally present users with links leading to malicious sites that look like legitimate ones. These links will claim to enable password resets, but, in reality, they are often attempts to get users to willingly hand over login information.

Send to Kindle