eBay hack 'one of the biggest data breaches in history'

The cyber-attack on eBay is poised to go down as one of the biggest data breaches in history, with experts warning that even after users have changed their passwords the breach could have "catastrophic" consequences.

Some 145 million user records have been accessed by hackers, the company announced in a statement yesterday. All eBay users have been advised to change their passwords immediately.

Web security experts warn that this may not be enough, and the ramifications of the hack could be "catastrophic".

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

Avivah Litan, an analyst at technology research firm Gartner told the Financial Post that if cyber-attackers manage to compile data from a variety of sources, "a massive incident is in the pipeline, such as widespread identity theft or thousands of financial accounts being taken over".

Alan Woodward, an independent security consultant agrees: "The slightly worrying aspect of this is that the hackers have a nice neat list of personal information, which can be used to steal identities or even help them get around other systems though password reset scams", Woodward told the BBC.

More than 15 million British people, and over a hundred million more worldwide are at risk of identity theft after the attack, the Daily Telegraph notes. The online security breach leaves not just passwords, but also names, addresses and telephone numbers in the hands of hackers.

The danger also goes beyond the internet, the Telegraph notes, because some telephone banking services allow users to log in using their date of birth and address for verification. This could result in massive banking theft and financial fraud.

Paul Martini, the chief executive at iboss Network Security, said: “The damage could well have already been done, as the time lag between the cyber breach and the discovery of the breach is in the months. Cyber hackers may not hit the obvious target of siphoning money or goods out of eBay; they may take the personal information gained from the database and target other popular sites.”

MPs said that the US-based firm's delay in admitting to the breach was “inexcusable”.

eBay forces users to change passwords after cyber-attack

20 May

Onling retailer eBay will force all 128 million of its users to change their passwords after discovering that the site had been compromised.

The company said databases containing encrypted passwords and other non-financial data had been attacked some time in February or March.

According to the company's records, no unauthorised activity has been recorded, but requiring all users to change their account details is "best practice and will help enhance security for eBay users".

The attack came about, eBay said in a post on its corporate site, because "cyber-attackers compromised a small number of employee log-in credentials, allowing unauthorised access to eBay's corporate network".

The post added: "Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers."

The retailer has 128 million active users and accounted for $212bn (£126bn) worth of transactions on its wide range of services in 2013, the BBC reports.

In spite of the company's reassurances that no illegal transactions had occurred, one expert told the BBC that the hackers might still be able to exploit the security breach.

"We all know that given enough time hackers can crack some encrypted password files," said Alan Woodward, an independent security consultant.

"The slightly worrying aspect of this is that the hackers have a nice neat list of personal information, which can be used to steal identities or even help them get around other systems though password reset scams."

eBay users are advised to visit the site and change their password as soon as possible.