eBay has suffered a cyberattack which has resulted in the breach of 223m customers’ personal data.
In what may be the biggest ever commercial cyber attack to date, eBay said the breach was detected over two weeks ago but customers’ financial information was not at risk.
However, a database containing encrypted passwords as well as names, email addresses, physical addresses and phone numbers was compromised.
Over 14 million active eBay accounts are in use in the UK, with the total number of customer accounts worldwide reaching 233 million.
In a statement, eBay said the database was breached between late February and Early March. PayPal said that its service has not been affected and customers’ financial information is safe.
David Emm, a security researcher at cybersecurity firm Kaspersky, said: "It’s difficult to quantify the danger customers may be in following the eBay cyber-attack, but of course any personal data in the wrong hands is bad news and it appears that the attackers have gained access to customers’ names, email addresses, physical addresses, phone numbers and dates of birth, as well as encrypted passwords.
The fact that this attack took place two to three months ago means the attackers have had additional time with which to attempt to decrypt the stolen passwords as well as make use of the other personal data. While it might seem as though eBay has been slow to respond but if the company has only just discovered the full extent of the attack it is now doing the right thing by notifying customers in a timely manner."
Matt Middleton-Leal, a director at security firm CyberArk, said: "The very fact that just a ‘small number’ of compromised accounts has resulted in such significant access to eBay’s corporate network is extremely concerning. Clearly, there has not been enough attention paid to protecting privileged access accounts, where one small human error or mistake can cause an enterprise-wide security breach."
The breach was not related to the Heartbleed bug, discovered earlier this year.
Emm said: "Many people will also be asking whether this is related to Heartbleed. I suspect that the two are not linked, although of course we can’t rule it out. The Heartbleed bug has been around for two years and was discovered after this attack took place.
However, eBay states that the leaked information was a result of a compromised database, whereas Heartbleed is a vulnerability that lies in the mechanism used to encrypt data."
Go to the next page for a guide on what you should do with your eBay account.
What should I do with my eBay account?
It has been recommended that all eBay users should immediately change their passwords. Personal information that could have been compromised on your account includes customer names, encrypted password, email address, physical address, phone number and date of birth.
As this isn’t a politically motivated attack, but rather a commercial one, it is not safe to assume your information won’t be used. This is why immediate action should be taken and any suspicious activity within your account should be reported to eBay.
PayPal, the payment service eBay customers use, was not affected in the attack. However, if you want to be extra secure, changing your PayPal password is also advised if you use the same password for both. Furthermore, it can be advised to change all of your passwords if you use the same one for your online accounts.
What should I look out for?
One of the most obvious things to look out for is ‘phishing’ emails. These will be under the disguise of authentic emails from eBay asking you to reset your password. The email will direct you to a fake webpage that poses as eBay where you enter in your password, but it is then stolen.
Of course, eBay will be issuing advisory emails themselves but they will never ask for your password. If you are unsure, it is best to ignore any emails, and go straight to the eBay website to manage your account. The real eBay website will be marked as https://www.ebay.co.uk/ or https://www.ebay.com in the URL bar at the top of your Internet browser.
Pass this information on to any family or friends that also have eBay accounts. These hackers are relying on the fact that a large proportion of eBay users will not be security savvy.