Online auction site eBay revealed this week that an electronic attack has compromised the personal information of its 145 million members. The service says there's no evidence of financial data exposure, but it's requesting that users change their passwords.
"We are cooperating with law enforcement on the investigation into the attack," an eBay spokesperson said. "There is no evidence that customer financial information was compromised."
According to eBay, hackers broke into a database that contains encrypted passwords, email addresses, physical addresses, phone numbers, dates of birth, and other data, including in some cases name and password combinations that would allow those hackers to take over individual accounts. Passwords for the PayPal payment service—which is owned by eBay—were not compromised, the firm claims.
PayPal has 148 million active registered accounts, eBay says.
The eBay attack comes in the wake of other similar hacks involving retailers such as Target and software maker Adobe. It is the second-biggest online account breach so far, after the 152 million user accounts involved in the Adobe attack.
Aside from the obvious fear here—as a major online destination for financial transactions, eBay is of course an obvious target—there are growing fears that these kinds of attacks could lead to chains of exploits because so many users use the same user name and password combinations on different services. And hackers are apparently using seized account information to try to break into bank accounts.
Security experts are already charging eBay with not doing enough to protect their customers: If the firm knows that passwords were compromised, they accurately charge, eBay should simply require all of its users to change their passwords immediately.
Instead, the firm is recommending that its users change passwords voluntarily. The theory here is that the stolen passwords are encrypted, so it's not clear how or if the hackers would be able to access that information. "There is no evidence of impact on any eBay customers," an eBay spokesperson said. "We don't know that they decrypted the passwords because it would not be easy to do."
Further, eBay says it has the Mandiant forensics division at FireEye to help it figure out exactly what happened. But an early investigation reveals that human error, as always, was at the heart of the exploit: The hackers gained login credentials for a "small number" of eBay employees and then used that access for their attack.
If you do have an eBay account, even one that has been dormant for a while, you should change the password. And please, don't use a username/password combination that you use elsewhere.