IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

eBay slammed over slow post-cyber attack password reset response

eBay hack results in password data being compromised, but industry watchers question why it took the site so long to alert users

eBay sign

eBay has come under fire for not alerting users their passwords may have been compromised by cyber attackers as soon as details of the breach came to light.

eBay confirmed that a company database containing its members' passwords has been compromised yesterday, prompting the firm to call on users to update their site login credentials.

The internet auction giant said in a statement that it had been the victim of a cyber attack that resulted in encrypted passwords and other "non-financial" data being accessed. This includes details of users' home addresses, phone numbers, birthdays and email addresses.

The attack is thought to have happened sometime between late February and early March but only came to light a fortnight ago, the company said.

The latter point has seen the firm's cyber security response come under fire from a slew of industry watchers, who have queried why it took the firm so long to alert users.

Despite the company publishing a statement, instructing users to update their passwords, a message to this effect has only appeared on the eBay home page today.

David Robinson, chief security officer at Fujitsu UK and Ireland, said the case highlights the need for companies of all shapes and sizes to deploy robust threat detection tools.

"It seems that not a week goes by that we don't see a data breach of one type of another. Over the last few months, we have seen many high profile companies affected by these types of attacks, and eBay is the latest company in the spotlight," said Robinson.

"The fact that this breach was able to go unnoticed for a number of weeks is testament to the fact that companies need to be doing more as the cyber-criminal industry continues to evolve."

Although, David Emm, senior security researcher at Kaspersky Lab, said users should be more concerned about the fact it took several months for eBay to detect the breach.

"The fact that this attack took place two to three months ago means the attackers have had additional time with which to attempt to decrypt the stolen passwords as well as make use of the other personal data. While it might seem as though eBay has been slow to respond, if the company has only just discovered the full extent of the attack, it is now doing the right thing by notifying customers in a timely manner," he said.

The perpetrators reportedly gained access to the database by stealing a "small number" of employee log-in credentials, eBay has revealed, which allowed them to gain unlawful access to its corporate network.

"Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers," a company statement reads.

However, eBay has been quick to stress that it has uncovered no evidence the attack has resulted in the unauthorised use of its members' accounts or that any credit card data has been accessed at this time.

Even so, the company is urging all of its members to change their passwords as a matter of urgency.

"Information security and customer data protection are of paramount importance to eBay... [and the company] regrets any inconvenience or concern this password reset may cause our customers," the statement adds.

"We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace."

The company has also confirmed that it has no reason to believe the attackers also accessed data from online payment provider PayPal, which eBay acquired in 2002 and is used by the vast majority of its users to carry out transactions.

"PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted," it added.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Protecting healthcare from cybercrime
Whitepaper

Protecting healthcare from cybercrime

25 May 2022
The truth about cyber security training
Whitepaper

The truth about cyber security training

25 Apr 2022
The truth about cyber security training
Whitepaper

The truth about cyber security training

25 Apr 2022
The Total Economic Impact™ of Mimecast
Whitepaper

The Total Economic Impact™ of Mimecast

25 Apr 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
Attracting and retaining talent through training
Sponsored

Attracting and retaining talent through training

13 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022