EBay is asking users to change their account passwords after a cyber attack in March compromised one of its databases.
The auction site posted a note on its corporate website that revealed the database, which contained customers’ encrypted passwords and other non-financial data, was hacked between late February and early March.
EBay said the attack compromised a “small number” of employee log-in details, enabling hackers to access eBay’s corporate network.
EBay stressed it had found no unauthorised access to customers’ financial or credit card information but it did contain customers’ name, password, email address, physical address, phone number and date of birth. It was asking users to change passwords as best practice and to bolster security.
EBay said: “Information security and customer data protection are of paramount importance to eBay Inc., and eBay regrets any inconvenience or concern that this password reset may cause our customers. We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace.”
It added that it is “aggressively” investigating the matter which came to light two weeks ago and applying the best forensics tool and practices to protect customers.
EBay said it has not seen any increased fraudulent activity on eBay accounts and added that it has not found evidence of unauthorised access to Paypal, the payment tool used by eBay users.
EBay will notify users to change their password via email, on its website and through other marketing channels. It is also urging customers who use the same password elsewhere to change those passwords too.
Anti-virus software firm Webroot director George Anderson said: “It’s disappointing to see that eBay has waited over two weeks to inform its users of the cyber-attack on the company.
“Organisations need to accept that hackers don’t discriminate; any company can become a victim, no matter how big or small. As such, the stakes are no longer about keeping your company’s name out of the headlines, but about dealing with the attack effectively and in a timely manner. The very first step in this should always be to inform customers as soon as possible, since the data stolen is ideal for phishing attacks by the use of email, SMS and phone calls.”