On May 21, 2014 eBay Inc. posted a password reset request announcement within which it stated that it had become aware of a cyber attack that had managed to gain access to a “small number” of employee log in credentials. The stolen employee log-in credentials were then used to gain unauthorized access to eBay’s corporate network systems. At this point the cyber thieves were able to breach the eBay database containing encrypted passwords, as well as other non-financial type data of eBay users, which included both buyers’ and sellers’ information.
The information the hacker(s) were able to obtain included customer names, encrypted passwords, email addresses, home addresses, phone numbers, and dates of birth for as many as 145 million eBay customers. Fortunately, according to eBay, there is no evidence that the cyber criminals were able to get access to customers Paypal accounts or financial data. Although it is good news that the cyber attackers were unable to access any PayPal account information and that the eBay passwords were encrypted, unfortunately it does not mean that eBay customers have nothing to worry about. The fact that eBay encrypts their passwords does not make them impenetrable, but salted and hashed encryption makes it much more difficult to break.
The bad part of the news is that the personal information the cyber criminals obtained in the eBay breach will typically be used to conduct phishing scams on the customers whose information was stolen. Now that cyber criminals have your name, date of birth, email address, physical address and phone number they often use this information to impersonate eBay or other legitimate businesses with phony emails, phone calls or mail to try to trick you into giving them more of your information such as banking information or social security numbers. The fake emails may appear very genuine, some may have a message with a link for you to click on, DO NOT click on any links in an email it may contain a virus or redirect you to another site where they may try to take control of your computer. If you should receive anything from eBay or any other company you have done business with go directly to that site to make sure the email is genuine.
The reaction time and response from eBay has been better than many of the other companies that have been breached in recent years in terms of taking responsibility and notifying its customers in a timely manner, but downplaying the damage that still remains to the customers whose information is now out there in the hands of criminals is not a prudent way of defeating cyber attacks.
In the interest of transparency and to properly display eBay’s precise use of language, included below you will find direct quotes from the eBay announcement posts. The following information is included in the interest of fairness.
An eBay statement posted on May 22, 2014 stated,
Recently, our company discovered a cyberattack on our corporate information network. This attack compromised a database containing eBay user passwords. What’s important for you to know: We have no evidence that your financial information was accessed or compromised. And your password was encrypted. If you are a PayPal user, note we have no evidence that this attack affected your PayPal account or any PayPal financial information, which is encrypted and stored on a separate secure network.
An update was posted by eBay on May 26, 2014 which read:
Over the past two days we have been contacting all eBay users asking them to change their passwords. If you haven’t yet changed your password, at some point you will be prompted to do so when you login or before you complete a transaction. If you changed your password on May 21 or later, we do not need you to take any additional action at this time.
We are taking this action because of a cyberattack on our corporate information network discovered earlier this month. We have no evidence that your financial information was accessed or compromised, but ensuring the trust and security of all eBay members is our top priority. That’s why we’re having all users reset their passwords as a precautionary measure.
If you used the same password for eBay and any other sites, we encourage you to change your password on those sites, too. As a matter of best practice, the same password should never be used across multiple sites or accounts.
Links For Consumers Affected: