EBay says that credit card and other financial data, including that of its PayPal subsidiary, were not compromised. But cyber experts worry that it took weeks for the breach to be discovered.
Online auction giant eBay Inc. said early Wednesday it was hit by a cyber-attack and, as a precautionary measure, is asking its 145 million active users to change their passwords, because hackers had infiltrated a database containing encrypted passwords and other nonfinancial personal data.
In a statement on its website, the company said the attack that occurred in late February and March compromised “a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network.”
The attackers then used those credentials to access a database that included eBay customer names, encrypted passwords, e-mail addresses, physical addresses, phone numbers, and dates of birth. The company stressed that credit-card and other financial data, including that of its PayPal subsidiary, were not compromised.
The company said it has seen no indication of increased fraudulent account activity on eBay, evidence of unauthorized access, or compromises to personal or financial information for PayPal users.
“After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats,” eBay said in a statement. “However, changing passwords is a best practice and will help enhance security for eBay users.”
But several factors still worry cyber-security experts – including the fact that the breach was detected only two weeks ago, apparently giving the hackers plenty of time to exploit the company network. Passwords, even though encrypted, are still subject to so-called “brute force” password cracking, cyber experts say. Also, a consumer often uses the same password across several sites, increasing the vulnerability. As well, the large amount of exposed personal information could still be a potential gold mine for identity thieves, they say.
The eBay breach follows the April disclosure of the “Heartbleed” vulnerability in Web-based encryption systems that potentially exposed about half of all Internet websites to hack attacks. Just last December, Target Corp. revealed a hack that potentially affected 110 million customers.
“This hack is particularly significant because eBay has a reputation for taking very strong security measures,” says Michael Sutton, vice president of security research for Zscaler, a cloud-based cyber-security firm with headquarters in Sunnyvale, Calif. “What’s been revealed so far suggests a targeted attack directed at specific employees, possibly a phishing attack. It’s got to be of concern that it was only discovered a couple of weeks ago.”
Companies have tended to rely on firewalls and other means to create a cyber-fortress. But this hack shows is that it’s almost impossible to keep intruders out – and that the key is monitoring networks constantly to detect any intrusion quickly before massive damage can be done, Mr. Sutton says.
It also suggests a sea change has occurred – and may still be occurring – in how companies deal with such hacks. Until a few years ago, most companies did everything they could to bury such hacks, rather than make them public. But data disclosure laws – and the admission in early 2010 by Google that it had been hacked by Chinese cyber-spies – have helped companies fess up to cyber-breaches and forced them to improve their cyber-security.
“That’s the silver lining here,” Sutton says. “Partly as a result of Google doing what it did, we’re seeing a lot more companies admitting they’ve been hacked. They know it’s better to get the bad news out and deal with it. But it's still a front page headline, so CEO feet are now being held to the fire on cyber-security – and that’s also forcing companies to improve their security posture."