According to the company, the attack which occurred between late February and early March 2014, originated after a small number of employee log-in credentials were compromised, which enabled cyber-attackers to gain access to eBays corporate network. Compromised information includes encrypted passwords, customer names, e-mail addresses, mailing addresses, phone numbers and dates of birth. The database that was exposed in the breach did not contain financial information.
The company states it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately and all PayPal financial information is encrypted.
eBay is currently notifying all of its active users about the breach and the need to change their passwords.
According to Tyler Shields, a security analyst at Forrester Research, the amount of time attackers had in the eBay network is concerning, because the company discovered the breach a short time ago, yet the attackers apparently first accessed the system in late February or early March 2014. Even though financial information wasnt exposed, Shields says there was enough sensitive information potentially accessed to enable criminals to commit fraud.
Andreas Baumhof, CTO at security company ThreatMetrix, also comments on the breach and points out that although the exposed passwords were encrypted, criminals are improving their ability to crack hashed passwords. Account takeover will be the biggest issue going forward.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now