Cyber attackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network. The attackers gained access to users’ encrypted passwords and sensitive information, the type that could be used in phishing or social engineering attacks, but they did not access users’ financial data.
eBay said it had no evidence of unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats.
Hackers did gain unauthorized access to a database of eBay users that included customer name, email address, physical address, phone number and date of birth along with their encrypted password. However the file did not contain social security, taxpayer identification or national identification information, the company said.
eBay advised users to change their passwords as a best practice.
PayPal said it was not impacted by the attack – PayPal spokesperson Jennifer Hakes told EcommerceBytes that extensive forensic research showed no evidence of unauthorized access or compromise to personal or financial information for PayPal customers. “PayPal customer and financial data is encrypted and stored separately, and PayPal never shares financial information with merchants, including eBay. PayPal account holders should consider changing their passwords only if their credentials are the same as those they use for eBay.”
Impact on Auction Sellers
Aside from the fact that shoppers may temporarily become wary of using eBay, there’s a more immediate concern for sellers, especially those conducting auctions. In an email sent on Thursday morning, eBay seller PWCCAuctions.com wrote:
“Though the effects of this breach may be superficial, eBay is choosing a conservative tact, forcing all members to update their current password. In the coming days, eBay will be sending emails to all users; once received, your account will be frozen until the password is updated.
“It is important to note that while your account is frozen, all snipe bids connected to that eBay account WILL NOT be placed. Once the eBay password-change email is received, we recommend following the prompts and then quickly going to your preferred snipe website to re-connect your account with eBay.
“We encourage folks to watch their eBay email closely and to respond with an updated password promptly (on both eBay and your preferred snipe website) to avoid inadvertently losing out on items.”
In an eBay FAQ about the incident, “Do I need to take any specific action as a seller?” eBay states:
“To protect buyers and sellers, we are asking all eBay customers to change their password the next time they log into their eBay account. No activity can occur on your account until you change your password. You can change your password at www.ebay.com/reset the next time you log on to eBay.com.”
And it wrote, “It means that you will not be able to make a purchase or create new listings until you have changed your password. You can change your password at www.ebay.com/reset now or the next time you log on to eBay.com. The same will be true for all other buyers and sellers on the marketplace.”
Risk of Identity Theft
Experts are advising eBay users to be extremely wary of emails appearing to come from the company but actually originating from fraudsters, known as phishing emails. eBay compounds this problem by how it has historically communicated with users. For example, regular emails eBay sends to the author contains a message at the top, “eBay sent this message to Ina Steiner (user name). Your registered name is included to show this message originated from eBay.”
Now that cyber criminals have accessed eBay’s database that contained their names and email addresses, it will be easier to trick users into thinking the emails are genuine and containing links to spoof websites that ask them to log in, thus capturing their passwords.
How It Happened
How and when did it happen? eBay said the cyber attackers compromised a small number of employee log-in credentials between late February and early March, allowing unauthorized access to eBay’s corporate network.
eBay first detected the compromise about two weeks ago. Why did it take the company so long to inform users? eBay did not respond to any of our inquiries throughout the day, including emails and phone messages.
On an FAQs page, it wrote, “eBay has a responsibility to fully understand the facts which required a full investigation. As soon as we knew what had happened and determined the best course of action, we acted immediately to disclose. We have seen no spike in fraudulent activity on the site.”
EcommerceBytes interviewed former PayPal employee Liron Damri, now COO at Forter, who is an expert in identifying account takeovers. We asked Damri why he though eBay waited 2 weeks before letting users know about the attack.
“In order to minimize the impact of such an event, one needs to identify the hackers to prevent them from striking again,” he said. “During those two weeks, eBay had the time to better analyze and identify the suspicious activities, making it harder for the hackers to act on behalf of the account owners. By doing so, they are now able to assure that no password is being changed by the fraudsters themselves.”
What can he deduced about the breach and how did he think employees’ credentials might have been stolen?
“While we know very little details from the official announcement, we can say that PayPal employees are generally early adapters who trust the web way more than the average user,” Damri said. “The more you share online, the greater your chances of being a victim of fraud.”
This appears to be exactly the case – VentureBeat reported that PayPal President David Marcus pushed his employees to use their PayPal accounts in field testing and sent a scolding email to employees in February. “It’s been brought to my attention that when testing paying with mobile at Cafe 17 last week, some of you refused to install the PayPal app (!!?!?!!), and others didn’t even remember their PayPal password. That’s unacceptable to me, and the rest of my team, everyone at PayPal should use our products where available. That’s the only way we can make them better, and better.”
eBay said it had no evidence of unauthorized access or compromises to personal or financial information for users of PayPal. “Likewise, we have no evidence of any unauthorized access to other sites operated by eBay Marketplaces, such as StubHub, eBay Classifieds, Tradera, GMarket, Auction, GumTree or GittiGidiyor.”
eBay published FAQs to help users learn more about the incident and what they could do to protect their accounts.
Update 5/22/14: We’ve received a couple of reports from readers who’ve tried to change their passwords unsuccessfully. The Telegraph reports eBay’s servers are buckling under immense traffic as people go to the site to change their passwords, and said not all users have been notified as of yet.
Comment on the EcommerceBytes Blog.