Wednesday, 21 May 2014

eBay hit by world's biggest web raid

128 million told they have to change their passwords NOW after hackers access personal details

  • Attack made between February and March and affects 128 million users
  • Hackers infiltrated the corporate network after stealing employee logins
  • This gave hackers access to eBay customers' name, encrypted password, email address, home address, phone number and date of birth
  • Firm said there is no evidence to suggest PayPal accounts were affected
  • But security experts are warning hackers could still use personal details to commit identity fraud - even after the password has been changed
  • It is unclear why it has taken eBay so long to make users aware of breach

Millions of eBay users have had their email, home addresses, passwords, phone numbers and birth dates stolen in the biggest criminal raid ever carried out online.

Hackers are believed to have accessed eBay databases by using the accounts of company employees as long ago as  February. However eBay only discovered the security breach two weeks ago.

In a statement on their website, the US auction site said it was asking all its users to reset their passwords after an attack ‘compromised a database containing encrypted passwords and other non-financial data’.

Scroll down for video
eBay is requesting that all users change their passwords. Earlier today, a message was posted under the headline 'eBay Inc. To Ask All eBay Users To Change Passwords'. The only text in the body of the post was 'placeholder text.' It was taken down within hours
eBay is requesting that all users change their passwords. Earlier today, a message was posted under the headline 'eBay Inc. To Ask All eBay Users To Change Passwords'. The only text in the body of the post was 'placeholder text.' It was taken down within hours
eBay hit by world's biggest web raid

WHAT DO WE KNOW ABOUT THE CYBER ATTACK?

The eBay database was hacked between late February and early March.

It gave hackers access to encrypted passwords and other non-financial data.

This included eBay customers' name, encrypted password, email address, home address, phone number and date of birth.

However, the database did not contain financial information or other confidential personal data.

Cyber attackers accessed the information after obtaining ‘a small number of employee login credentials’.

The online market place added that it had no evidence of there being unauthorised activity on its members' accounts.

But security experts are warning hackers could still use personal details to commit identity fraud.

eBay became aware of the hack a fortnight ago but is still unsure exactly how it happened.

It is unclear why it has taken eBay so long to make users aware of breach.

Often consumers use their eBay password for a host of other websites, including their banks, so they may also need to make changes to these to protect their accounts from being hijacked.

The company owns and runs the internet payment system PayPal, but claimed that this was not involved in the raid, saying: ‘PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.’

The firm has 128million active users and accounted for £126billion worth of commerce in 2013. Shares in the web giant, which has more than 14million active users in the UK, fell by 3.2 per cent in early trading yesterday amid fears that the company will lose the trust of their customers, leading to a downturn in trade and profits.

A statement from the firm, which is based in San Jose, California, said: ‘Working with law enforcement and security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.

‘Information security and customer data protection are of paramount importance to eBay Inc, and eBay regrets any inconvenience or concern that this password reset may cause our customers.’

The auction site added that it had no evidence of there being unauthorised activity on its members' accounts. But security experts are warning hackers could still use personal details to commit identity fraud
The auction site added that it had no evidence of there being unauthorised activity on its members' accounts. But security experts are warning hackers could still use personal details to commit identity fraud
The cyber attack was made between late February and early March, giving hackers access to eBay customers' name, encrypted password, email address, physical address, phone number and date of birth. The firm said it will be emailing users later today to inform them of the breach
The cyber attack was made between late February and early March, giving hackers access to eBay customers' name, encrypted password, email address, physical address, phone number and date of birth. The firm said it will be emailing users later today to inform them of the breach

And an eBay spokesman said: ‘Our customers are our highest priority; and to ensure they continue to have a safe, secure and trusted experience on eBay, we will be asking all users to change their passwords.

‘There is no evidence that any financial information was accessed or compromised; but we are taking every precaution.’

But Graham Cluley, from security firm Sophos, said: ‘Obviously they’ve got hold of names, addresses and dates of birth. All of this can be used to commit identity fraud.

‘If they have your password, and you have the same password for other websites, hackers could access your email, your Amazon account and who knows what else.’

And internet security expert Paul Martini said: ‘eBay users must act and follow the advice to change their passwords. But the damage could have already been done, as the time lag is months between the cyber breach and the discovery of the breach.

‘It could well have been viewed as the golden goose of hacking targets. Its popularity means that it holds personal details, making its a potential gold mine.’

He added: ‘Cyberhackers may not hit the obvious target of siphoning money or goods out of eBay; they may take the personal information gained from the database and target other popular sites.’

The internet is still recovering from the Heartbleed bug, a flaw in the OpenSSL encryption on computers that protects user information when someone is online.

The flaw had been present for two years undetected, and offered hackers a way into personal accounts across the web. UK parenting website Mumsnet was the first to admit they had been a victim of the bug. Fixes, or ‘patches’, have since been applied across the web as sites recover from the breach in security.

HOW DOES THE EBAY HACK AFFECT YOU? WHAT YOU NEED TO KNOW

What personal details were stolen?

Hackers gained access to eBay customers' names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth.

It is unclear whether all, or any, of the details were taken but security experts are warning people to assume the worst.

Are my credit cards details safe?

The firm said that the infiltrated part of the network did not contain any financial details, so in theory, yes. 

Will changing my password solve the problem?

Changing passwords will stop hackers from being able to use any login details that were stolen.

However, they could still use names, addresses and birth dates to commit identity fraud. 

It’s a good idea to change passwords following any attack such as this. It’s also important to update login details on any sites that use the same password.

If a hacker has your password and email address they could use it to attempt to access other sites that use the same combination.

As a rule, the same password should never be used across different sites.

Should I change my PayPal password as well?

PayPal, which owns eBay, has confirmed its accounts and customers have not been affected by this cyber attack.

However, as a matter of course, it’s good practice to change all related passwords across different sites, including PayPal.

Which countries are affected?

At the moment, we can assume that all eBay customers worldwide will be affected by this breach, until eBay says otherwise.

Is this hack a result of the Heartbleed bug?

When Heartbleed was exposed, eBay announced its customer’s account were secure and had not been affected. This suggests the latest hack is a separate attack.

How did hackers steal the information?

It is unclear how the hackers got hold of the information but eBay said it is working with forensic teams to get an answer to this question.

Why did it take so long for eBay to inform customers of the breach?

MailOnline has contacted eBay for an answer to this question. It is unclear what caused the delay.

Typically, following cyber attacks, a firm will investigate the breach to try and determine how many people are affected, and the severity of the attack, before issuing advice. 

Early reports claimed the password change on eBay could be as a result of the worldwide Heartbleed security breach last month, but PayPal said at the time its servers weren't at risk and had not been affected
Early reports claimed the password change on eBay could be as a result of the worldwide Heartbleed security breach last month, but PayPal said at the time its servers weren't at risk and had not been affectedFacebookTwitterClick to openPinterestGoogle PlusRedditStumble UponDigg itLinkedInEmailClick comments

No comments:

Post a Comment