EBay Urges New Passwords After Breach
The hackers broke into an eBay database containing names, email addresses, birth dates, encrypted passwords, physical addresses and phone numbers.
There was no indication that the attackers obtained financial information such as credit and debit card numbers or gained access to customer accounts at PayPal, which is owned by eBay, said Amanda Miller, a company spokeswoman. The company has not seen evidence of fraudulent activity that could be linked to the breach, she said.
Still, hackers could use the stolen data for identity theft. Personal information — such as email addresses, passwords and birth dates — is regularly sold to criminals who use it for phishing or identity theft.
Security experts warned that the stolen information would make eBay customers easy targets for phishing attacks, in which criminals send emails that bait victims into clicking on malicious links or direct them to fake log-in screens where they are asked to enter more valuable information like a password or a Social Security number.
“Expect an uptick in phishing. Do not click links in email or discuss anything over the phone,” warned Trey Ford, a strategist at Rapid7, a security firm in Boston.
EBay discovered the breach this month when the company’s internal security team noticed that some of its employees were engaged in unusual activity on its corporate network, said Mark Carges, the company’s chief technology officer.
EBay contacted the Federal Bureau of Investigation’s San Francisco office as well as an outside computer forensics firm. Working together, they found that hackers had been inside eBay’s corporate network since late February.
By studying computer logs, eBay discovered that hackers had stolen the credentials of several of its employees and gained unauthorized access to eBay’s corporate network. Once inside, they were able to copy a database containing information on all 145 million of the company’s customers, according to Alan Marks, eBay’s senior vice president of global communications.
Mr. Marks said eBay stored its financial data separately. Still, the company advised users with the same password for eBay and PayPal to change their passwords immediately.
Though notification laws differ, most states require that companies notify customers of a breach only if their names are compromised in combination with other information like a credit card or a Social Security number. But there are exceptions for encrypted information.
In eBay’s case, the company stored users’ names, email and physical addresses and birth dates in plain text but encrypted their passwords. Most states would not have required eBay to disclose the breach. But one state, North Dakota, requires companies to disclose a breach in cases where a customer’s name is compromised in conjunction with a birth date.
Mr. Carges said eBay camouflaged customers’ passwords with encryption, using a process known as hashing, in which passwords are mashed up with a mathematical algorithm and stored only in encoded or “hashed” form.
To make cracking more difficult, Mr. Carges said, eBay also appended several random digits to customer passwords — a process known as salting — before encrypting the passwords. Salting makes cracking them more difficult, although not impossible.
Mr. Marks said that on Wednesday the company would begin prompting users to change their passwords and alerting customers to the breach.
Peter D. Lee, a spokesman for the F.B.I.’s San Francisco field office, said the F.B.I. was working closely with eBay to investigate the breach and that he believed that arrests would be made soon.
The breach at eBay is one of several recent hacking episodes at prominent companies. One that struck Target in December has cost the retailer $87 million in breach-related expenses, according to securities filings.
