Millions at risk of identity theft as hackers hit eBay
MILLIONS of eBay customers could be at risk of identity theft after hackers stole personal data from company servers, warn security researchers.
The auction site asked all 145 million of its active users to change their passwords as it emerged that hackers managed to access their personal information.
Names, email and postal addresses, phone numbers and dates of birth of customers have been compromised.
It is feared that those details could now be used to leverage access to users' other online accounts.
"Cyber attackers compromised a small number of employee log-in credentials, allowing unauthorised access to eBay's corporate network," said a company statement.
"The database, which was compromised between late February and early March, included eBay customers' name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information."
A company spokesman declined to comment on how many registered Irish eBay users the company has, but it is understood to run into hundreds of thousands.
The security breach raises fears of 'phishing' attacks, where eBay customers receive emails purporting to be from the company – but which are designed to trick them into clicking on unsafe web links.
Some sites such as online banking services accept a date of birth and address as part of their secure log-in process, while telephone banking services will often request the same details. Having a list of these personal details would make life easier for a cyber criminal.
eBay said that the compromised employee log-in credentials were first detected about two weeks ago.
It is thought that hackers managed to access some eBay employee log-ins which gave access to the company's corporate network. From there the attackers were able to access the database containing users' information.
Extensive forensics subsequently identified the compromised eBay database, resulting in the company's announcement yesterday.
The online retailer said it has no evidence of the compromise resulting in unauthorised activity for eBay users, and no evidence of any unauthorised access to financial or credit card information, which is stored separately in encrypted formats.
"Changing passwords is a best practice and will help enhance security for eBay users," said the company statement.
"Working with law enforcement and leading security experts, we are aggressively investigating the matter and applying the best forensics tools and practices to protect customers.
"We believe we have shut down unauthorised access to our site and have put additional measures in place to enhance our security," it said.
Paul Martini, chief executive at online safety experts iboss Network Security, said that eBay could be viewed as the "golden goose of hacking targets" because of the vast scale of information it holds.
"Cyber hackers may not hit the obvious target of siphoning money or goods out of eBay, they may take the personal information gained from the database and target other popular sites."
The hacking attack is only the latest to affect Irish online shoppers.
Clare-based online loyalty firm Loyaltybuild said that it had spent over €500,000 on fixing security flaws that led to a major security breach.
Loyaltybuild runs special offers and incentive schemes for major retailers in Ireland and abroad.
The credit card details of hundreds of thousands of customers were reported stolen following a data breach at the company last year.