Later today, eBay will begin asking all of its 112 million customers to change their passwords, in the wake of a newly discovered database breach. The breach compromised a database containing a list of encrypted passwords that, once released in the wild, could potentially be decrypted through publicly available tools. As a result, eBay is asking users to change passwords as soon as possible. Officials say no financial data was implicated, and the company hasn't found any evidence of unauthorized activity resulting from breach.
Attackers obtained employee log-in credentials
The attack itself took place some time between late February and early March, when attackers obtained a group of employee log-in credentials, allowing access to the larger database. Even after the attack, eBay wasn't aware of the compromise until two weeks ago, and it took detailed forensic analysis to implicate the password database, resulting in today's announcement.
In addition to passwords, the database contained basic login information like name, email, phone number, address and date of birth, but officials stressed that, aside from the passwords, no confidential or personal information was included in the breach. Paypal was not involved in the breach, as PayPal data is kept on a separate network with higher levels of encryption. Still, a site-wide password reset is generally seen as the best response to this kind of breach. eBay also reminded users to make the change at any other sites where they had used the same password, a bad security practice that is nonetheless widespread.