|Wed May 21 2014 08:21:48|
By: Ina Steiner
eBay sent out the following press release at 9:10 am on Wednesday morning:
eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data. After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.
Information security and customer data protection are of paramount importance to eBay Inc., and eBay regrets any inconvenience or concern that this password reset may cause our customers. We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace.
Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.
UPDATE (10 am EST): PayPal spokesperson Jennifer Hakes told EcommerceBytes eBay will only be asking its user base later today to change passwords. "Extensive forensic research has shown no evidence of unauthorized access or compromise to personal or financial information for PayPal customers," she said.
"PayPal customer and financial data is encrypted and stored separately, and PayPal never shares financial information with merchants, including eBay. PayPal account holders should consider changing their passwords only if their credentials are the same as those they use for eBay."
UPDATE (3:50 pm EST): eBay published a FAQs page that includes this blurb:
The file did not contain financial information, and after conducting extensive testing and analysis of our systems, we have no evidence that any customer financial or credit card information was involved. Likewise, the file did not contain social security, taxpayer identification or national identification information.
UPDATE (8:14 am on 5/22/14): eBay sellers should consider the impact this will have on their auction listings since snipe bids may not be allowed to go through unless bidders have changed their passwords, see today's Newsflash story.