Nearly 150 million eBay users need to reset their password after unknown attackers accessed a database containing customers’ personal information, the retail giant said on Wednesday.

Attackers used “a small number” of stolen employee login credentials to get onto eBay’s corporate network and access the database, eBay said. The compromise happened between late February and March, but eBay discovered the breach only two weeks ago when it discovered the credentials had been stolen.

The database contained usernames, passwords, names, addresses, birth dates, phone numbers, and email addresses, eBay said. No financial information was stored on this database.

The passwords were encrypted, but that doesn’t mean attackers definitely won’t be able to crack the information. The company has seen “no evidence of the compromise resulting in unauthorized activity for eBay users,” but users should change their passwords right away.

“Over 80 percent of encrypted hashes [used on web applications] can be brute forced within 48 hours,” said Ilia Kolochenko, CEO of High-Tech Bridge. “This is why eBay is doing a good thing by advising users to change the passwords ASAP; people should not rely on encryption,” he warned.

Experts warned of potential phishing attacks masquerading as password reset emails for eBay and PayPal (also owned by eBay), as well as spear phishing attacks using information that was in the compromised database.

This breach highlights a need for companies to place tighter controls on how user information is stored and protected. While it’s important to have security measures in place to keep attackers out, companies need to focus on protecting the data itself, usually by encrypting the information, said Brendan Rizzo, technical director for Voltage Security. This protection should not be limited to just login credentials and financial data, but “all potentially sensitive information,” he said.

Fahmida Y. Rashid is an accomplished security journalist and technologist. She is a regular contributor for several publications including where she is a networking and security analyst.  She also was a senior writer at eWeek where she covered security, core Internet infrastructure and open source. As well, she was a senior technical editor at CRN Test Center reviewing open source, storage, and networking products. 

Leave a Reply