Hackers raided the network of EBay Inc. three months ago, accessing some 145 million user records. This will go down as one of the biggest data breaches in history, based on the number of accounts compromised. EBay advised customers to change their passwords immediately, saying they were among the pieces of data stolen by cyber criminals who carried out the attack between late February and early March.
EBay spokeswoman Amanda Miller told Reuters that those passwords were encrypted and that the company had no reason to believe the hackers had broken the code that scrambled them. She had this to say:
There is no evidence of impact on any eBay customers. We don’t know that they decrypted the passwords because it would not be easy to do.
Ms. Miller said the hackers gained access to 145 million records and that they copied “a large part” of them. Those records contained passwords as well as email addresses, birth dates, mailing addresses and other personal information, according to Ms. Miller. But she says financial data, such as credit card numbers, were not taken.
EBay has hired FireEye Inc.’s Mandiant forensics division to help investigate the matter. Mandiant is known for publishing a February 2013 report that described what it said was a Shanghai-based hacking group linked to the Peoples Liberation Army. EBay earlier had said a large number of accounts may have been compromised, but declined to say how many. Security experts advised EBay customers to be on the alert for fraud, especially if they used the same passwords for other accounts.
Trey Ford, a global security strategist with cybersecurity firm Rapid7, said that: “People need to stop reusing passwords and should change their affected passwords immediately across all the sites where they are used.” According to Michael Coates, director of product security with Shape Security, there is a significant risk that the hackers would unscramble the passwords because typically companies only ask users to change passwords if they believe there is a reasonable chance attackers may be able to do so. Still, eBay said it had not seen any indication of increased fraudulent activity on its flagship site and that there was no evidence its PayPal online payment service had been breached.
EBay said the hackers got in after obtaining login credentials for “a small number” of employees, allowing them to access eBay’s corporate network. Reportedly, EBay discovered the breach in early May and immediately brought in security experts and law enforcement to investigate, Ms. Miller, when asked why the company had not immediately notified users, responded that the company had “worked aggressively and as quickly as possible to insure accurate and thorough disclosure of the nature and extent of the compromise.” Apparently, that was her only explanation for why the company had not immediately notified users. I am not sure that answer to this question is acceptable.
The breach, based on the number records accessed by the hackers, could go down as the second-biggest in history at a U.S. company. Computer security experts say the biggest such breach was uncovered at software maker Adobe Systems Inc. in October 2013, when hackers accessed about 152 million user accounts. It would be larger than the one that Target Corp. disclosed in December of last year, which included some 40 million payment card numbers and another 70 million customer records. I suspect the inquires relating to the EBay problems are just beginning.
Source: Claims Journal
Contact us today for a free legal consultation with an experienced attorney.
Fields marked *may be required for submission.
If you would like to subscribe to the Jere Beasley Report digital edition, simply visit our Subscriptions page and provide the necessary information or call us at 800-898-2034.
Attorney Advertising - Prior results do not guarantee a similar outcome.