The online retail and auction giant eBay will be asking its customers to change their passwords later today because of a cyberattack that compromised a server containing encrypted passwords and other non-financial information.
The company says it does not believe that there has been any unauthorized customer account activity as a result of the breach. Furthermore, eBay Inc. is claiming that user financial data as well as PayPal information is not at risk because that data is stored in encrypted formats on separate, unaffected servers.
“Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network,” the company said in a statement. “Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.”
The information stored on eBay’s compromised database is said to include customer names, encrypted passwords, email and physical addresses, phone numbers, and dates of birth.
eBay says it first discovered the compromised employee credentials two weeks ago. Sometime between then and now the company claims it identified which database was affected and is now contacting customers accordingly.
Trey Ford, a global security strategist at Rapid 7, claims the breach occurred sometime between February and early March. Ford also notes that users should be wary of anyone contacting them claiming to be eBay – as an increase in related phishing attacks is likely.
eBay account holders should receive an email notification from the company sometime later in the day. eBay will also post notifications on its website at that time. It’s not clear why the company is waiting until later in the day to notify its customers.
However, users will eventually be forced to change their passwords on eBay and encouraged to change passwords for other accounts if they happened to be using the same passwords there.