eBay slammed over slow post-cyber attack password reset response

eBay hack results in password data being compromised, but industry watchers question why it took the site so long to alert users

eBay sign

eBay has come under fire for not alerting users their passwords may have been compromised by cyber attackers as soon as details of the breach came to light.

eBay confirmed that a company database containing its members' passwords has been compromised yesterday, prompting the firm to call on users to update their site login credentials.

Advertisement - Article continues below

The internet auction giant said in a statement that it had been the victim of a cyber attack that resulted in encrypted passwords and other "non-financial" data being accessed. This includes details of users' home addresses, phone numbers, birthdays and email addresses.

The attack is thought to have happened sometime between late February and early March but only came to light a fortnight ago, the company said.

The latter point has seen the firm's cyber security response come under fire from a slew of industry watchers, who have queried why it took the firm so long to alert users.

Despite the company publishing a statement, instructing users to update their passwords, a message to this effect has only appeared on the eBay home page today.

David Robinson, chief security officer at Fujitsu UK and Ireland, said the case highlights the need for companies of all shapes and sizes to deploy robust threat detection tools.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"It seems that not a week goes by that we don't see a data breach of one type of another. Over the last few months, we have seen many high profile companies affected by these types of attacks, and eBay is the latest company in the spotlight," said Robinson.

"The fact that this breach was able to go unnoticed for a number of weeks is testament to the fact that companies need to be doing more as the cyber-criminal industry continues to evolve."

Although, David Emm, senior security researcher at Kaspersky Lab, said users should be more concerned about the fact it took several months for eBay to detect the breach.

"The fact that this attack took place two to three months ago means the attackers have had additional time with which to attempt to decrypt the stolen passwords as well as make use of the other personal data. While it might seem as though eBay has been slow to respond, if the company has only just discovered the full extent of the attack, it is now doing the right thing by notifying customers in a timely manner," he said.

Advertisement - Article continues below

The perpetrators reportedly gained access to the database by stealing a "small number" of employee log-in credentials, eBay has revealed, which allowed them to gain unlawful access to its corporate network.

"Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers," a company statement reads.

However, eBay has been quick to stress that it has uncovered no evidence the attack has resulted in the unauthorised use of its members' accounts or that any credit card data has been accessed at this time.

Even so, the company is urging all of its members to change their passwords as a matter of urgency.

"Information security and customer data protection are of paramount importance to eBay... [and the company] regrets any inconvenience or concern this password reset may cause our customers," the statement adds.

"We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace."

Advertisement - Article continues below

The company has also confirmed that it has no reason to believe the attackers also accessed data from online payment provider PayPal, which eBay acquired in 2002 and is used by the vast majority of its users to carry out transactions.

"PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted," it added.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Recommended

Visit/security/phishing/355120/hackers-pose-as-three-to-exploit-high-data-demand
phishing

Hackers target Three customers with "sophisticated" phishing scam

26 Mar 2020
Visit/security/355013/10-quick-tips-to-identifying-phishing-emails
Security

10 quick tips to identifying phishing emails

16 Mar 2020
Visit/business-strategy/mergers-and-acquisitions/354941/panda-security-to-be-acquired-by-watchguard
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Most Popular

Visit/security/privacy/355155/zoom-kills-facebook-integration-after-data-transfer-backlash
privacy

Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/cloud/355098/ibm-dedicates-supercomputing-power-to-coronavirus-researchers
high-performance computing (HPC)

IBM dedicates supercomputing power to coronavirus research

24 Mar 2020