Barbara's Beat: eBay hacked - change your passwords now
Sam's Club

Thursday, May 22, 2014

eBay hacked - change your passwords now



eBay Inc. asks eBay users to change passwords


eBay photo
There has been a data data breach at eBay and they are finally alerting it's customers. This cyber attack may be larger than the Target attack. 

Yesterday eBay Inc. announced it is aware of unauthorized access to eBay systems that may have exposed some customer information. There is no evidence financial data was compromised and there is no evidence PayPal or customers have been affected by the unauthorized access to eBay systems. 

"We are working with law enforcement and leading security experts to aggressively investigate the matter," eBay reported on it's site.

 As a precaution, eBay asks all users (both buyers and sellers) to change their passwords. As a global marketplace, nothing is more important to eBay than the security and trust of our customers. 

"We regret any inconvenience or concern that this situation may cause you," said eBay. "We know our customers and partners have high expectations of us, and we are committed to ensuring a safe and secure online experience for you on any connected device."


What happened?
eBay recently discovered a cyber attack that comprised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network.  As a result, a database containing encrypted password and other non-financial data was compromised.  There is no evidence of the compromise affecting accounts for PayPal users, and no evidence of any unauthorized access to personal, financial or credit card information, which is stored separately in encrypted formats.  The company is asking all eBay users to change their passwords.

What customer information was accessed?
The attack resulted in unauthorized access to a database of eBay users that included:
Customer name
Encrypted password
Email address
Physical address
Phone number
Date of birth

Was my financial information accessed?
The file did not contain financial information, and after conducting extensive testing and analysis of our systems, we have no evidence that any customer financial or credit card information was involved. Likewise, the file did not contain social security, taxpayer identification or national identification information.

Has the issue been resolved?
We believe we have shut down unauthorized access to our site and have put additional measures in place to enhance our security. We have seen no spike in fraudulent activity on the site.

How did this happen?
Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network. We are working with law enforcement and leading security experts to aggressively investigate the matter. At this point, we are not disclosing further information.

When did this happen?
Based on forensic research with internal and external security experts, the attack occurred between late February and early March.

Do you know who is responsible?
We are fully cooperating with law enforcement and security experts who are investigating this situation. We will not speculate on who is responsible at this time.
When did eBay discover this issue?
The company discovered that unauthorized access to our corporate network had occurred earlier in May. We immediately began working with security experts and law enforcement to aggressively investigate the matter.

 Why did eBay wait so long to disclose this data compromise?
eBay has a responsibility to fully understand the facts which required a full investigation.  As soon as we knew what had happened and determined the best course of action, we acted immediately to disclose.  We have seen no spike in fraudulent activity on the site.

How many accounts were accessed?
All eBay users are being asked to change their password. All eBay users will be notified. At the end of Q1, we had 145 million active buyers.

What steps are you taking to ensure customer data is safe moving forward?
We are asking all eBay customers to change their password the next time they log into their eBay account. We are making this decision out of an abundance of caution.

Below are additional steps eBay is taking:
As always, we have strong protections in place for both buyers and sellers in the event of any unauthorized activity on your account.
We are applying additional security to protect our customers.
We are working with law enforcement and leading security experts to aggressively investigate the matter.

How are you notifying eBay customers of this incident?
We are in the process of notifying all eBay users and asking them to change their password through email, site and other marketing communications channels.

Were other platforms impacted?
eBay has no evidence of unauthorized access or compromises to personal or financial information for users of PayPal.  PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.  Likewise, we have no evidence of any unauthorized access to other sites operated by eBay Marketplaces, such as StubHub, eBay Classifieds, Tradera, GMarket, Auction, GumTree or GittiGidiyor. 

I use the same password for multiple accounts.  Do I now need to change all of them?
If you used the same password for eBay and any other site, we encourage our customers to change their passwords for those sites too. As a matter of good practice, the same password should never be used across multiple sites or accounts.

If I’ve only visited eBay as a guest user, how does this impact me?
If you have only visited eBay as a guest user, we do not have a password on file. However, we encourage you to remain vigilant. Following a cyberattack of this nature it is common that fraudsters will try to exploit well-known brand names like eBay in an effort to obtain personal information. They attempt this fraudulent activity through phishing emails, texts, phone calls and fake websites.

Does this issue affect me as a PayPal user?
If you are a PayPal user, we have no evidence that this compromise affected your PayPal account or any PayPal financial information, which is encrypted and stored on a separate secure network. 

Do I need to change my PayPal password?
If you used the same password for both eBay and PayPal, we encourage you to change your PayPal password, too, as well as any other sites on which you used the same password. As a matter of good practice, the same password should never be used across multiple sites or accounts.

If my information has been compromised, what are the risks to me?
We have no evidence that any customer financial or credit information was involved, and have seen no spike in fraudulent activity on the site. Likewise, the file did not contain social security, taxpayer identification or national identification information.

The information that has been accessed is often publically available. Thus, the primary risk is increased exposure to consumer scams. 

Following a cyberattack of this nature, it is common that fraudsters will try to exploit well-known brand names like eBay in an effort to obtain personal information. They attempt this fraudulent activity through phishing emails, texts, phone calls and fake websites.
For helpful tips on how to avoid scams, please visit our security center.
Seller FAQs
Do I need to take any specific action as a seller?
To protect buyers and sellers, we are asking all eBay customers to change their password the next time they log into their eBay account. No activity can occur on your account until you change your password. You can change your password at www.ebay.com/reset the next time you log on to eBay.com.

What does “no activity can occur on your account” mean?
It means that you will not be able to make a purchase or create new listings until you have changed your password. You can change your password at www.ebay.com/reset now or the next time you log on to eBay.com. The same will be true for all other buyers and sellers on the marketplace.



No comments: