eBay’s morning just went from bad to worse. The e-commerce site confirmed Wednesday that its corporate network was hacked and a database with users’ passwords was compromised. While eBay says there is no evidence that users’ financial information was accessed in the hack, the company is telling all users to change their passwords.
eBay contacted CNET after this story was initially published, saying that it discovered “recently” that it was a victim of “a cyber attack on our corporate information network, which compromised a database containing eBay user passwords.” The company’s spokesperson told CNET, however, that there is “no evidence that any financial information was accessed or compromised.”
The statement follows an odd stream of events this morning when eBay-owned PayPal posted a blog, entitled, “eBay, Inc. to Ask All eBay users to Change Passwords.” That blog post had no content included, but quickly hit the Web after it was retweeted dozens of times. The page was taken down, causing even more confusion for users of the online auction house.
eBay has since posted a blog post on the hack, saying that it will ask all users to change their passwords starting later on Wednesday.
eBay shares are down 1.73 percent, or 90 cents, to $51.06, following news of the hack.
“After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats,” eBay wrote in the post. “However, changing passwords is a best practice and will help enhance security for eBay users.”
eBay’s hacking should be taken seriously. With Heartbleed wreaking havoc on the Web and an increasing number of major companies having their servers hacked and personal information leaked, Web security — or lack thereof — is becoming a huge concern for Web users.
eBay says that it has been able to narrow down the attack to “a small number of employee login credentials” stolen by cyberattackers. That provided the attackers access to eBay users’ names, encrypted passwords, e-mail addresses, physical addresses, phone numbers, and dates of birth.
The database was compromised all the way back in late February and early March, but wasn’t detected until two weeks ago. The company subsequently engaged in forensics activities to determine what database was compromised and what was stolen.
The eBay hack could prove to be the biggest security flaw to affect users since last year’s Target data breach. That breach is believed to have impacted 110 million customers and left personal information open to hackers.
eBay is no slouch. The company has 128 million active users around the world, and will begin asking every one of them to change their passwords. The company hasn’t said, however, how many of those people might have had information stolen.
eBay is trying to allay any fears that PayPal users who store credit card information on the service might have. Although eBay owns PayPal, the auction house says that “PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.”
Starting later on Wednesday, eBay will use email, site updates, and “other marketing channels” to request its users change their passwords. The company also encouraged its users to change the passwords on any other sites they might use with the same log-in credentials. It even ended its blog post with a security tip:
“The same password should never be used across multiple sites or accounts.”
CNET has contacted eBay for more information on the hack. We will update this story when we have more information.