TMCnet News
Change your password, says eBay after 'biggest ever hack': Database with names and addresses is compromised: Financial information not divulged, auction site says(Guardian (UK) Via Acquire Media NewsEdge) Ebay urged users to change their passwords yesterday after suffering what may have been the biggest ever cyber-attack when hackers broke into a database holding its customers' personal data. The auction site said the breach, detected two weeks ago, had not given the hackers access to customers' financial information. But it did affect a database holding encrypted passwords as well as customer names, email addresses, physical addresses, phone numbers and dates of birth which were not encrypted. The site has 233 million customers worldwide, including more than 14 million active in Britain. In a statement, eBay said a database had been compromised between late February and early March. PayPal, the payment arm of eBay, released a statement saying it was not affected and that financial information had not been compromised. "The scope for damage is absolutely huge and could be the biggest hack of all time, given the number of users eBay has," said Rik Ferguson, global vice-president of security research at the security software firm Trend Micro. Professor Alan Woodward of the department of computing at the University of Surrey said that while financial information was protected, the personal information exposed in the compromise was "neatly packaged information that is worth a lot to cybercriminals". He added: "Though eBay claims that financial information was not compromised we shouldn't be reassured by these statements." Ferguson said: "It is inexcusable for a company the size of eBay with the amount of data it holds to not encrypt all personal information held and to not constantly be at the forefront of security technology. It should not have taken them three months to notice a break-in like this." Exposure of personal information such as postal addresses and dates of birth puts users at risk of identity theft, where the data is used to claim ownership of both online and real world identities. Users are also at risk of phishing attacks from malicious third parties, which use the private details to trick people into handing over bank account, credit card or other sensitive information. The break-in was not caused by the Heartbleed flaw in internet servers that received publicity earlier this year. Instead, the hackers had "compromised a small number of employee login credentials, allowing unauthorised access to eBay's corporate network", the company said. The attack is bigger than the one that affected the US retailer Target in December, when approximately 40 million customer credit cards were stolen by hackers who broke into the company's systems. The fallout from that security breach led to the resignation of Target's chief executive this month. Ebay has been described as the "golden goose" by some security researchers because of its large user base, but other internet companies yet to suffer large hacks of this nature are also considered prime targets. Amazon, for instance, has around 244 million active accounts, each with credit cards attached. Apple's iTunes, arguably the biggest database of shoppers, has around 800 million users, most of whom will have credit cards attached to their accounts. "Information security and customer data protection are of paramount importance to eBay Inc, and eBay regrets any inconvenience or concern that this password reset may cause our customers," the company said. "We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace." Troy Gill, senior security analyst at the internet security firm AppRiver, said: "This breach is a stark reminder that no organisation is immune to cyber-attacks." In figures: 233m The number of customers in eBay's compromised database, which holds names, addresses and birthdays 14m The number of active eBay users in the United Kingdom. Customers have been urged to change their private details 40m The previous biggest exposure of customer details, for the US retailer Target. The chief executive resigned (c) 2014 Guardian Newspapers Limited. |