E-commerce giant eBay has told all its users to change their passwords in the wake of a cyber attack on the popular online marketplace.
In a statement on the company’s website, the US-based business said it was asking users to reset their passwords after an attack “compromised a database containing encrypted passwords and other non-financial data”.
The site, which has more than 14 million active users in the UK, was quick to say that it believes no unauthorised access was gained to personal data, but that a password reset was the best practice to help ensure security.
“Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorised access to eBay’s corporate network,” said the statement.
“Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers. Information security and customer data protection are of paramount importance to eBay Inc, and eBay regrets any inconvenience or concern that this password reset may cause our customers. We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace.”
The auction website said the database was breached at some point in late February and early March, with access gained to personal customer information including password, address and date of birth. However, the company said financial data is stored on a separate database under a different encryption.
The company said it had seen no indication of increased fraudulent account activity on eBay.
The internet is still recovering from the Heartbleed bug, a flaw in the OpenSSL encryption on computers that protects user information when someone is online.
Fixes, or “patches”, have since been applied across the web as sites recover from the bug.
A spokesman for eBay said: “Our customers are our highest priority; and to ensure they continue to have a safe, secure and trusted experience on eBay, we will be asking all eBay users to change their passwords.”
Michela Menting, cybersecurity practice director at technology market experts ABI Research, said eBay’s response should reassure users.
“It seems that the attackers managed to gain employee credentials through social engineering – a difficult type of fraud that is tricky to avoid completely, even with the best defences in place.
“Consequently, incident response mechanisms have to be iron clad in order to minimise fall-out. It also appears that eBay have effectively siloed databases for financial info from customer information.
“The fact that passwords were encrypted is also reassuring.”