Online auction site eBay has been blasted for an ‘inexcusable delay’ in taking action after it was revealed that its servers were hacked three months ago.
The email, home addresses, passwords, phone numbers and birth dates of every eBay account holder – 233 million worldwide – are now in the hands of the hackers.
The company has told users to urgently change their passwords amid the biggest criminal raid ever carried out online.
eBay is requesting that all users change their passwords. Earlier today, a message was posted under the headline ‘eBay Inc. To Ask All eBay Users To Change Passwords’. The only text in the body of the post was ‘placeholder text.’ It was taken down within hours.
WHAT DO WE KNOW ABOUT THE CYBER ATTACK?
The eBay database was hacked between late February and early March.
It gave hackers access to encrypted passwords and other non-financial data.
This included eBay customers’ name, encrypted password, email address, home address, phone number and date of birth.
However, the database did not contain financial information or other confidential personal data.
Cyber attackers accessed the information after obtaining ‘a small number of employee login credentials’.
The online market place added that it had no evidence of there being unauthorized activity on its members’ accounts.
But security experts are warning hackers could still use personal details to commit identity fraud.
eBay became aware of the hack a fortnight ago but is still unsure exactly how it happened.
It is unclear why it has taken eBay so long to make users aware of breach.
. Often consumers use their eBay password for a host of other websites, including their banks, so they may also need to make changes to these to protect their accounts from being hijacked.
Paul Martini, the chief executive at iboss Network Security, said that the online auction site was the ‘golden goose of hacking targets’ due to the sheer amount of information which is held. they may be using personal information to target other sites.
An eBay spokesman said: ‘We discovered unauthorized access to our corporate network earlier in May and immediately began a forensic investigation which discovered this issue leading to yesterday’s announcement.
The company owns and runs the internet payment system PayPal, but claimed that this was not involved in the raid, saying: ‘PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.’
The firm has 128million active users and accounted for £126billion worth of commerce in 2013. Shares in the web giant, which has more than 14million active users in the UK, fell by 3.2 per cent in early trading yesterday amid fears that the company will lose the trust of their customers, leading to a downturn in trade and profits.
A spokesman added: ‘Working with law enforcement and security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.
‘Information security and customer data protection are of paramount importance to eBay Inc, and eBay regrets any inconvenience or concern that this password reset may cause our customers.’
The cyber attack was made between late February and early March, giving hackers access to eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. The firm said it will be emailing users later today to inform them of the breach
‘Our customers are our highest priority; and to ensure they continue to have a safe, secure and trusted experience on eBay, we will be asking all users to change their passwords.
‘There is no evidence that any financial information was accessed or compromised; but we are taking every precaution.’
But Graham Cluley, independent security expert, said: ‘Obviously they’ve got hold of names, addresses and dates of birth. All of this can be used to commit identity fraud.
‘If they have your password, and you have the same password for other websites, hackers could access your email, your Amazon account and who knows what else.’
And internet security expert Paul Martini said: ‘eBay users must act and follow the advice to change their passwords. But the damage could have already been done, as the time lag is months between the cyber breach and the discovery of the breach.
‘It could well have been viewed as the golden goose of hacking targets. Its popularity means that it holds personal details, making its a potential gold mine.’
He added: ‘Cyberhackers may not hit the obvious target of siphoning money or goods out of eBay; they may take the personal information gained from the database and target other popular sites.’
HOW DOES THE EBAY HACK AFFECT YOU? WHAT YOU NEED TO KNOW.
What personal details were stolen?
Hackers gained access to eBay customers’ names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth.
It is unclear whether all, or any, of the details were taken but security experts are warning people to assume the worst.
Are my credit cards details safe?
The firm said that the infiltrated part of the network did not contain any financial details, so in theory, yes.
Will changing my password solve the problem?
Changing passwords will stop hackers from being able to use any login details that were stolen.
However, they could still use names, addresses and birth dates to commit identity fraud.
It’s a good idea to change passwords following any attack such as this. It’s also important to update login details on any sites that use the same password.
If a hacker has your password and email address they could use it to attempt to access other sites that use the same combination.
As a rule, the same password should never be used across different sites.
Should I change my PayPal password as well?
PayPal, which owns eBay, has confirmed its accounts and customers have not been affected by this cyber attack.
However, as a matter of course, it’s good practice to change all related passwords across different sites, including PayPal.
Which countries are affected?
At the moment, we can assume that all eBay customers worldwide will be affected by this breach, until eBay says otherwise.
Is this hack a result of the Heartbleed bug?
When Heartbleed was exposed, eBay announced its customer’s account were secure and had not been affected. This suggests the latest hack is a separate attack.
How did hackers steal the information?
It is unclear how the hackers got hold of the information but eBay said it is working with forensic teams to get an answer to this question.
Why did it take so long for eBay to inform customers of the breach?
Typically, following cyber attacks, a firm will investigate the breach to try and determine how many people are affected, and the severity of the attack, before issuing advice.