eBay Hacked, Advises Users to Change Passwords

A cyber-attack compromised an eBay database, although the company claims no financial information was lost.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Online e-commerce and auction giant eBay today publicly acknowledged that its systems were breached in a cyber-attack. The attack compromised a database in late February and early March of this year, although eBay noted that it only detected the incident two weeks ago.

The compromised database did not contain personal or financial information, according to eBay. In addition, the company noted that there have not been any increased fraudulent activities occurring on eBay. The database that was compromised included nonfinancial information and encrypted passwords.

As a best practice, eBay is advising its users to reset their passwords to minimize any potential risks from the database breach.

Although full details of the breach have not yet been disclosed, eBay has indicated compromised employee credentials are partially to blame.

"Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network," eBay noted in a blog post. "Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers."

The compromised database does not impact eBay's PayPal users either. In a blog post, PayPal noted that PayPal information is stored separately and information is not shared with eBay or other merchants.

"Extensive forensic research has shown no evidence of unauthorized access or compromise to personal or financial information for PayPal customers," PayPal stated.

Security experts contacted by eWEEK were not surprised by the eBay disclosure and warn that more breaches are likely in the months and years ahead.

"It's not surprising that eBay's site was breached, and attacks like this can definitely be considered the new normal, as we've seen even in only the last few weeks," Maty Siman, founder and CTO of Checkmarx, told eWEEK. "Major organizations are compromised on a daily basis, jeopardizing a huge amount of sensitive user and company information."

Checkmarx is a code security vendor, and Siman is a strong advocate for the use of code scanning to find vulnerabilities.

"Organizations and companies need to take more precautions and take more security measures to protect their digital assets from the outset by examining their source code for vulnerabilities and eliminating them in advance," Siman said.

Eric Cowperthwaite, vice president of Advanced Security and Strategy at Core Security, told eWEEK that attacks aimed at compromising user IDs and passwords are going to be quite common going forward. That said, there are things that users can and should do to protect themselves.

Cowperthwaite suggests that users immediately change all of their passwords, not just their eBay passwords. Secondly, he suggests that users begin using a password manager and maintain different IDs and passwords for their various online systems that contain personal or financial information, like banks and online shopping.

"Organizations need to recognize that stores of user credentials are an asset that the bad guys are going to try and breach," Cowperthwaite said. "Even more importantly, organizations need to take effective, proactive actions to strengthen their information security."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.