eBay is asking all its users to change their passwords after attackers compromised employee credentials and gained unauthorized access to a database that stored personal information.
The company learned of the unauthorized access in May and, following an investigation, learned that the attack may have occurred sometime between late February and early March, according to a release, which adds that the issue is believed to be resolved.
Details are scarce as the investigation is ongoing, but officials with the popular online auction and shopping website announced on Wednesday that attackers gained unauthorized access to a database containing names, addresses, phone numbers, dates of birth, email addresses and encrypted passwords.
An eBay spokesperson did respond to a SCMagazine.com inquiry into the type of encryption that the company uses, but in a Wednesday email correspondence with SCMagazine.com, Cris Thomas, technical manager with Tenable Network Security, said he wants to know how the passwords were encrypted, and if the data was salted.
“With that information, I can have a realistic idea of what the chances are of my password being brute-forced,” Thomas said. “That way I can determine my level of exposure and be able to offer practical advice to other people who may also be impacted.”
In a Wednesday email correspondence, Ilia Kolochenko, CEO of High-Tech Bridge, told SCMagazine.com that even larger companies are guilty of storing customer passwords simply by using classic MD5 hashes without salt, which could enable decryption.
According to a FAQ posted Wednesday by eBay, financial information, as well as Social Security numbers, Taxpayer Identification numbers and National Identification numbers, were not compromised. Additionally, eBay said its other platforms – PayPal, StubHub, eBay Classifieds, Tradera, GMarket, GumTree or GittiGidiyor – were unaffected.