eBay will be asking its users to change their passwords thanks to a cyberattack that compromised a database containing encrypted passwords and other non-financial data.
After conducting extensive tests on its networks, the company said it has no evidence of the breach resulting in unauthorized activity for its users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, the company said that changing passwords is “a best practice” and will help enhance security for its users.
“Information security and customer data protection are of paramount importance to us,” the company said in a statement, adding that it regrets any inconvenience or concern that the password reset may cause its customers. “We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace.”
Cyberattackers gained access to “a small number of employee log-in credentials,” allowing unauthorized access to eBay's corporate network, the company said. Working with law enforcement and leading security experts, the company is investigating the matter and looking into protecting its customers.
The database, which was compromised between late February and early March, included eBay customers’ names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth. eBay reiterated that the database did not contain financial information or other confidential personal information.
The company said that the compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.
eBay said it has seen no indication of increased fraudulent account activity on its site and that it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all its related financial information is encrypted.
Users will be notified via email, site communications and other marketing channels beginning later today to change their password. In addition to asking users to change their passwords, the company said it also is encouraging any users who utilize the same password on other sites to change those passwords, too, cautioning that the same password should never be used across multiple sites or accounts.