eBay hacked, all users asked to change passwords

Share this article:
eBay hacked, all users asked to change passwords
eBay is asking all users to change their passwords after a database was hacked.

eBay is asking all its users to change their passwords after attackers compromised employee credentials and gained unauthorized access to a database that stored personal information.

The company learned of the unauthorized access in May and, following an investigation, learned that the attack may have occurred sometime between late February and early March, according to a release, which adds that the issue is believed to be resolved.

Details are scarce as the investigation is ongoing, but officials with the popular online auction and shopping website announced on Wednesday that attackers gained unauthorized access to a database containing names, addresses, phone numbers, dates of birth, email addresses and encrypted passwords.

An eBay spokesperson did respond to a SCMagazine.com inquiry into the type of encryption that the company uses, but in a Wednesday email correspondence with SCMagazine.com, Cris Thomas, technical manager with Tenable Network Security, said he wants to know how the passwords were encrypted, and if the data was salted.

“With that information, I can have a realistic idea of what the chances are of my password being brute-forced,” Thomas said. “That way I can determine my level of exposure and be able to offer practical advice to other people who may also be impacted.”

In a Wednesday email correspondence, Ilia Kolochenko, CEO of High-Tech Bridge, told SCMagazine.com that even larger companies are guilty of storing customer passwords simply by using classic MD5 hashes without salt, which could enable decryption.

According to a FAQ posted Wednesday by eBay, financial information, as well as Social Security numbers, Taxpayer Identification numbers and National Identification numbers, were not compromised. Additionally, eBay said its other platforms – PayPal, StubHub, eBay Classifieds, Tradera, GMarket, GumTree or GittiGidiyor – were unaffected.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Adobe exploit used to spread Dyre credential stealer

Adobe exploit used to spread Dyre credential stealer

Users running vulnerable Adobe software could be in danger of having credentials for Bitcoin websites stolen.

Staples is investigating a potential issue involving credit card data

Staples is investigating a potential issue involving credit ...

The company said it is investigating a potential issue involving credit card data and that customers are not responsible for fraudulent activity on cards if an issue is discovered.

Skills set a priority over legacy prejudices, experts say

Skills set a priority over legacy prejudices, experts ...

Cybersecurity expert Winn Schwartau and Robert Clark, a cyber law attorney at the Army Cyber Institute, discussed issues around hiring in the information security industry.