The online auction giant eBay said on Wednesday that a compromise of an employee’s account led to the compromise of a database storing passwords and sensitive account data for 145 million customers, worldwide.
The company issued a statement on Wednesday saying that it was asking all its users to update their password, following the discovery two weeks ago that an employee’s account had been compromised and used to gain unauthorized access to the database. The hack occurred in late February or March, according to a forensic examination by eBay.
eBay conducted what it described as “extensive tests on its networks” and said it did not find evidence of unauthorized activity on eBay user accounts linked to the incident. The online auction firm said it also has no evidence of unauthorized access to financial or credit card information, which is stored separately and in encrypted formats.
In the incident, unidentified cyber attackers compromised what eBay described as “a small number of employee log-in credentials,” which gave them access to eBay’s corporate network. allowing unauthorized access to eBay’s corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.
The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information.
Details on the compromise were not provided, but the company acknowledged that the compromised employee log-in credentials were first detected about two weeks ago. A forensic examination subsequently identified the compromised eBay database, resulting in the company’s announcement today.
The breach makes eBay just the latest major firm to suffer a data breach after discount retailer Target and software firm Adobe. Mark Stanislav, the security evangelist for DUO Security, said that compromised employee credentials are a common theme in the attacks.
“A single employee account is often all that an attacker needs to do lateral movement within an organization,” he said.
Large firms like eBay are often challenged to keep track of employee permissions to access sensitive systems, meaning that attackers can often get access to valuable IT assets even without compromising the account of a senior company officer or technical lead, Stanislav said.
While eBay had weeks to digest the attack, the company’s initial response to the incident was understated. Hours after the company released its public statement, users said they had not been notified of the breach or the need to change their account password. The main eBay web site made no mention of the breach, nor were users notified of the breach upon logging in to their account.
“I was surprised that there wasn’t a more prominent mention of it,” said Mark Stanislav, the security evangelist at DUO Security. “Its good that their (press) release gave some context – like the employee credentials were stolen. But I thought the guidance for users was lacking.”
In a Twitter response to this reporter, eBay said that it was “in the process of notifying users (and) asking them to change their password via email, site & other communications.”
