May 21, 2014

eBay is asking users to pick new passwords following a data breach earlier this year that exposed the personal information of an untold number of the auction giant’s 145 million customers.

eBayIn a blog post published this morning, eBay said it had “no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.”

Assisted by federal investigators, eBay determined that the intrusion happened in late February and early march, after a “small number of employee log-in credentials” that allowed attackers access to eBay’s corporate network were compromised. The company said the information compromised included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. eBay also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users.

The company said it will begin pushing out emails today asking customers to change their passwords. eBay has not said what type of encryption it used to protect customer passwords, but it previous breaches are any indication, the attackers are probably hard at work trying to crack them.

If you’re an eBay user, don’t wait for the email; change your password now, and make it a good one. Most importantly, don’t re-use your eBay or PayPal password elsewhere. If you did that prior to today, it’s a good idea to change that password to something unique at the other sites that shared it. And be extra wary of phishing emails that spoof eBay and PayPal and ask you to click on some link or download some security tool; attackers are likely to capitalize on this incident to spread malware and to hijack accounts.

eBay and PayPal users who haven’t already done so should consider using the PayPal Security Key, a two-factor authentication solution that can be used to add for additional security on both sites.

123 thoughts on “eBay Urges Password Changes After Breach

  1. Keith Appleyard

    Finally – I get an e-mail notification from eBay that they have been hacked and that I should change my password – 2 weeks after Brian reported it. What’s with those guys’ e-mail system, 2 weeks to tell us here in the UK? Fortunately I changed my password a while ago.

  2. martha

    I called e-bay Customer Support shortly after learning of the breach and asked about PayPal. I was told that there was no problem but that their advice was to change my PayPal password.

    The reason I raised it is because my husband uses Ebay and PayPal (owned by Ebay) a lot and he told me that Ebay & PayPay requires that the SAME PASSWORD be used for both. The Customer Service rep seemed to say that was not true.

    Does anyone know whether they ever required the same password?

  3. Mark O'Brien

    My paypal account was breached today. The hackers withdrew 500 out of my checking account

Comments are closed.