EBay users are being advised to change their passwords after hackers compromised some employees’ log-in credentials to break into the eBay corporate network.
The company said in a statement on Wednesday that the hackers broke into a database including “encrypted passwords and other non-financial data” and had not got their hands on any financial or credit card information, but best practice dictates users should change their passwords anyway.
The stolen information may include customer names, phone numbers, dates of births, email addresses, physical addresses, and encrypted passwords. The breach took place between late February and early March but was not detected until a couple weeks ago. PayPal data is not affected, being stored in a different (and fully encrypted) system.
This breach is going to be tough for eBay’s reputation. A couple weeks ago the Target CEO resigned, months after a massive data breach hit up to 70 million of the retailer’s customers last December. That case involved payment card data, which was apparently not sucked up here, but it had a big effect that will still be fresh in people’s minds.
Trend Micro security researcher and blogger Rik Ferguson has been quick off the mark with a series of questions for the online auction house, starting with why all this information wasn’t encrypted, and also begging the questions of why a few people’s compromised credentials were sufficient to access this hacked database, and why it took eBay so long to realize it had been raided.
As Ferguson noted, addressing eBay:
“You write at the end of your press statement ‘The same password should never be used across multiple sites or accounts.’ I agree. I’m going to end my ‘statement’ with this. Sensitive data, especially that which you hold in trust, should always be encrypted, no exceptions.”