eBay hacked, all users asked to change passwords

Share this article:
eBay hacked, all users asked to change passwords
eBay is asking all users to change their passwords after a database was hacked.

eBay is asking all its users to change their passwords after attackers compromised employee credentials and gained unauthorized access to a database that stored personal information.

The company learned of the unauthorized access in May and, following an investigation, learned that the attack may have occurred sometime between late February and early March, according to a release, which adds that the issue is believed to be resolved.

Details are scarce as the investigation is ongoing, but officials with the popular online auction and shopping website announced on Wednesday that attackers gained unauthorized access to a database containing names, addresses, phone numbers, dates of birth, email addresses and encrypted passwords.

An eBay spokesperson did respond to a SCMagazine.com inquiry into the type of encryption that the company uses, but in a Wednesday email correspondence with SCMagazine.com, Cris Thomas, technical manager with Tenable Network Security, said he wants to know how the passwords were encrypted, and if the data was salted.

“With that information, I can have a realistic idea of what the chances are of my password being brute-forced,” Thomas said. “That way I can determine my level of exposure and be able to offer practical advice to other people who may also be impacted.”

In a Wednesday email correspondence, Ilia Kolochenko, CEO of High-Tech Bridge, told SCMagazine.com that even larger companies are guilty of storing customer passwords simply by using classic MD5 hashes without salt, which could enable decryption.

According to a FAQ posted Wednesday by eBay, financial information, as well as Social Security numbers, Taxpayer Identification numbers and National Identification numbers, were not compromised. Additionally, eBay said its other platforms – PayPal, StubHub, eBay Classifieds, Tradera, GMarket, GumTree or GittiGidiyor – were unaffected.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ShellShock vulnerability exploited in SMTP servers

Researchers at Trend Micro found that attackers were targeting Simple Mail Transfer Protocol (SMTP) servers to execute malicious code and an IRC bot.

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.