Ebay disclosed overnight that it has suffered an attack earlier in the year that compromised customer’s names, encrypted password, email address, physical address, phone number, and date of birth.
The company said in its statement that the affected database “did not contain financial information or other confidential personal information”. The source of the attack was pinned on a set of employee login credentials that the attackers were able to obtain.
As a results of the breach, which has the potential to be one of the biggest ever disclosed with the auction site having 145 million users, Ebay is recommending that all users change their passwords immediately.
“After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for Ebay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats,” Ebay said.
However, questions will be asked about the time taken between the breach occurring and Ebay deciding to informs its users.
“Although Ebay is still assessing the damage, the concern is the time between the breach and its public disclosure, possibly leaving users vulnerable for weeks,” said Mike Malloy, executive vice president of products and strategy, Webroot. “This practice is becoming a worrying trend, and reminiscent of other notable breaches in the recent past.”
“The very first step should always be to inform customers as soon as possible, since the data stolen is ideal for phishing attacks by the use of email, SMS and phone calls.”
In its defence, Ebay said it has “a responsibility to fully understand the facts which required a full investigation” and that it immediately disclosed the breach once it knew what had happened.
Ian Hodge, managing director at Dell Software, Australia and New Zealand said that organisations need to audit, examine, and protect sensitive information and internal accounts.
“For too long companies have solely focused on external threats but threats don’t always come from external sources; often, data leaks can originate from employees, through intentional theft, lost or stolen mobile devices or accidental exposure,” he said.
“Poorly managed privileged credentials are increasingly leaving organisations as vulnerable as a hole in a firewall and sensitive information can easily find itself in the wrong hands.”
This year has not been kind to retailers and holders of financial information on the data protection front. In January, Target fessed up to having 70 million names, mailing addresses, phone numbers and email addresses stolen; South Korean credit card companies suffered from a breach that impacted up to 104 million credit cards, 20 million of which were sold to marketing firms after the inside job by a temporary employee of the Korea Credit Bureau; and arts and crafts retailer in the US, Michaels Stores, had an attack on its point of sale systems that hit 2.6 million cards.
Ebay said that, beginning shortly, its users will be contacted via email, site communications, and other methods to inform them to change their passwords.