eBay slammed over slow post-cyber attack password reset response

eBay hack results in password data being compromised, but industry watchers question why it took the site so long to alert users

eBay sign

eBay has come under fire for not alerting users their passwords may have been compromised by cyber attackers as soon as details of the breach came to light.

eBay confirmed that a company database containing its members' passwords has been compromised yesterday, prompting the firm to call on users to update their site login credentials.

The internet auction giant said in a statement that it had been the victim of a cyber attack that resulted in encrypted passwords and other "non-financial" data being accessed. This includes details of users' home addresses, phone numbers, birthdays and email addresses.

The attack is thought to have happened sometime between late February and early March but only came to light a fortnight ago, the company said.

The latter point has seen the firm's cyber security response come under fire from a slew of industry watchers, who have queried why it took the firm so long to alert users.

Despite the company publishing a statement, instructing users to update their passwords, a message to this effect has only appeared on the eBay home page today.

David Robinson, chief security officer at Fujitsu UK and Ireland, said the case highlights the need for companies of all shapes and sizes to deploy robust threat detection tools.

"It seems that not a week goes by that we don't see a data breach of one type of another. Over the last few months, we have seen many high profile companies affected by these types of attacks, and eBay is the latest company in the spotlight," said Robinson.

"The fact that this breach was able to go unnoticed for a number of weeks is testament to the fact that companies need to be doing more as the cyber-criminal industry continues to evolve."

Although, David Emm, senior security researcher at Kaspersky Lab, said users should be more concerned about the fact it took several months for eBay to detect the breach.

"The fact that this attack took place two to three months ago means the attackers have had additional time with which to attempt to decrypt the stolen passwords as well as make use of the other personal data. While it might seem as though eBay has been slow to respond, if the company has only just discovered the full extent of the attack, it is now doing the right thing by notifying customers in a timely manner," he said.

The perpetrators reportedly gained access to the database by stealing a "small number" of employee log-in credentials, eBay has revealed, which allowed them to gain unlawful access to its corporate network.

"Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers," a company statement reads.

However, eBay has been quick to stress that it has uncovered no evidence the attack has resulted in the unauthorised use of its members' accounts or that any credit card data has been accessed at this time.

Even so, the company is urging all of its members to change their passwords as a matter of urgency.

"Information security and customer data protection are of paramount importance to eBay... [and the company] regrets any inconvenience or concern this password reset may cause our customers," the statement adds.

"We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace."

The company has also confirmed that it has no reason to believe the attackers also accessed data from online payment provider PayPal, which eBay acquired in 2002 and is used by the vast majority of its users to carry out transactions.

"PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted," it added.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

TikTok phishing campaign tried to scam over 125 influencer accounts
social media

TikTok phishing campaign tried to scam over 125 influencer accounts

18 Nov 2021
Smart luggage is not so smart when it comes to cyber security
cyber security

Smart luggage is not so smart when it comes to cyber security

15 Nov 2021
Europol reveals how ransomware gangs are evolving to evade capture
cyber crime

Europol reveals how ransomware gangs are evolving to evade capture

12 Nov 2021
The Okta digital trust index
Whitepaper

The Okta digital trust index

11 Nov 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
Synology DiskStation DS2422+ review: A cube of great capacity
network attached storage (NAS)

Synology DiskStation DS2422+ review: A cube of great capacity

10 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022