The attack, effected between late February and early March, resulted in the compromise of a database containing eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. No financial information was accessed, though.
The attack was made possible when the attackers compromised a small number of employee log-in credentials, and that allowed them to access Ebay's corporate network.
eBay has shared that the compromised employee log-in credentials were first detected about two weeks ago, but has not offered any more details about the hack.
"Whilst it’s impossible to say for sure until more detail emerges, this could be achieved as the result of a targeted ‘watering hole’ compromise or someone falling victim to spear phishing or a another form of social engineering," commented Chris Boyd, Malware Intelligence Analyst at Malwarebytes. "These types of attacks aim to get inside pre-identified targets such as companies and other high-value institutions.”
"After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats," the company said in a press release issued on Wednesday. "However, changing passwords is a best practice and will help enhance security for eBay users."
"PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted," they added, but have not shared details about the type of encryption they use to encrypt this information and the passwords that were stolen.
Changing your eBay AND PayPal password is, therefore, a good idea - just make sure you're not using the same one for both accounts or, for that matter, for other online accounts.
"Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers," the company added.
Still, I, for one, would like to know how an organization of eBay's size and resources managed not to notice this breach for months?
"This hack is not surprising. Security and functionality tend to exist in an inverse relationship. In other words, the more functional you make something, the less secure it tends to be, and big websites are highly functional. Breaches are part of the fabric of the Internet," commented Roger Thompson, chief emerging threats researcher at ICSA Labs.
"Users need to follow basic security measures like using only one password per site and investing in a password manager. Passwords by themselves aren’t relative as a security measure in today’s environment. Websites that don’t have multiple forms of authentication should be considered high-risk for these types of events."