Online marketplace eBay says it was the target of a cyberattack in which hackers accessed a database of its encrypted passwords. The auction site says no financial data were revealed — but it’s urging its users to update the passwords on their accounts.
EBay says that it hasn’t seen any sign of fraudulent activity since the problem was first detected “about two weeks ago.” It also said that it stores financial data and customer records in different places and that accounts of its direct-payment subsidiary, PayPal, were not affected by the data breach.
The attackers gained access to eBay’s corporate network after they “compromised a small number of employee log-in credentials,” the company says. EBay says it is working with law enforcement and security experts to investigate the breach.
“The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth,” eBay wrote in a post on its corporate blog Wednesday. “However, the database did not contain financial information or other confidential personal information.”
If you’re changing your password, you should make sure the new one is very different from the old one, security expert Ron Gula of Tenable Network Security tells NPR’s Aarti Shahani. That’s because hackers look for patterns in passwords, he says.
“Maybe it’s ‘flowers1’ or ‘flowers 2,’ and you make a slight change based on where you go,” Gula says. “They understand these patterns. And knowing a password that you use at eBay can allow them to predict a password you might be using for your bank.”
And because many Internet users have a habit of reusing their passwords, the company suggests changing their login information on those accounts, as well. EBay says it will send emails to its customers suggesting that they change their passwords later today.
“EBay had 145 million active users at the end of the first quarter,” The Associated Press reports.