EBay, hit by a cyber attack, urges 145 million users to change passwords
-
Mark Clayton Staff writer
Online auction giant eBay Inc. said early Wednesday it was hit by a cyber-attack and, as a precautionary measure, is asking its 145 million active users to change their passwords, because hackers had infiltrated a database containing encrypted passwords and other nonfinancial personal data.
In a statement on its website, the company said the attack that occurred in late February and March compromised 鈥渁 small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network.鈥
The attackers then used those credentials to access a database that included eBay customer names, encrypted passwords, e-mail addresses, physical addresses, phone numbers, and dates of birth. The company stressed that credit-card and other financial data, including that of its PayPal subsidiary, were not compromised.
The company said it has seen no indication of increased fraudulent account activity on eBay, evidence of unauthorized access, or compromises to personal or financial information for PayPal users.
鈥淎fter conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats,鈥 eBay said in a statement. 鈥淗owever, changing passwords is a best practice and will help enhance security for eBay users.鈥
But several factors still worry cyber-security experts 鈥 including the fact that the breach was detected only two weeks ago, apparently giving the hackers plenty of time to exploit the company network. Passwords, even though encrypted, are still subject to so-called 鈥渂rute force鈥 password cracking, cyber experts say. Also, a consumer often uses the same password across several sites, increasing the vulnerability. As well, the large amount of exposed personal information could still be a potential gold mine for identity thieves, they say.
The eBay breach follows the April disclosure of the 鈥淗eartbleed鈥 vulnerability in Web-based encryption systems that potentially exposed about half of all Internet websites to hack attacks. Just last December, Target Corp. revealed a hack that potentially affected 110 million customers.
鈥淭his hack is particularly significant because eBay has a reputation for taking very strong security measures,鈥 says Michael Sutton, vice president of security research for Zscaler, a cloud-based cyber-security firm with headquarters in Sunnyvale, Calif. 鈥淲hat鈥檚 been revealed so far suggests a targeted attack directed at specific employees, possibly a phishing attack. It鈥檚 got to be of concern that it was only discovered a couple of weeks ago.鈥
Companies have tended to rely on firewalls and other means to create a cyber-fortress. But this hack shows is that it鈥檚 almost impossible to keep intruders out 鈥 and that the key is monitoring networks constantly to detect any intrusion quickly before massive damage can be done, Mr. Sutton says.
It also suggests a sea change has occurred 鈥 and may still be occurring 鈥 in how companies deal with such hacks. Until a few years ago, most companies did everything they could to bury such hacks, rather than make them public. But data disclosure laws 鈥 and the admission in early 2010 by Google that it had been hacked by Chinese cyber-spies 鈥 have helped companies fess up to cyber-breaches and forced them to improve their cyber-security.
鈥淭hat鈥檚 the silver lining here,鈥 Sutton says. 鈥淧artly as a result of Google doing what it did, we鈥檙e seeing a lot more companies admitting they鈥檝e been hacked. They know it鈥檚 better to get the bad news out and deal with it. But it's still a front page headline, so CEO feet are now being held to the fire on cyber-security 鈥 and that鈥檚 also forcing companies to improve their security posture."
