Ebay has warned users of the auction site to change their passwords immediately, following a compromise of one of its major databases.
The site posted a message on its site and that of its sister website PayPal, asking users to carry out the security measure that was “due to a cyber attack that compromised an eBay database containing encrypted eBay passwords and other non-financial information.”
“EBay will notify its user base directly within the next 24 hours with more details,” it said.
“Extensive forensic research has shown no evidence of unauthorized access or compromise to personal or financial information for PayPal customers. PayPal customer and financial data is encrypted and stored separately, and PayPal never shares financial information with merchants, including eBay.”
It said the database was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth.
“However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today,” the firm said in a statement.
Security expert Graham Cluley said that eBay is concerned that the passwords in the compromise database – albeit encrypted – could easily be decrypted and fall into the hands of malicious attackers.
“Although financial information may not have been compromised it sounds as if other personal identifiable information has been exposed as well,” said Cluley.
EBay will notify users via email, site communications and other marketing channels to change their password. In addition to asking users to change their eBay password, the company said it also is encouraging any eBay user who utilised the same password on other sites to change those passwords, too. The same password should never be used across multiple sites or accounts.