Giant online retailer eBay who turn over $128 Billion a year has been compromised with tens of thousands of Australians now being urged to change their password after more than 128 million eBay records were compromised.
The eBay network is believed to have been compromised back in February and March however eBay management claim that they did not become aware of the hack attack until three weeks ago despite having this knowledge they did not tell customers that large amounts of confidential information was at risk until last night.
The attack gave hackers access to encrypted passwords and other non-financial data.
This included eBay customers’ name, encrypted password, email address, home address, phone number and date of birth.
ChannelNews also suspects that the attackers would also be able to identify bank account details.
It is unclear why it has taken eBay so long to make users aware of breach, In Australia media organisations who cover technology have not been made aware of the breach by eBay.
Adobe who saw millions of Adobe customer records stolen late last year only revealed that confidential information had been stolen from their servers after a security expert exposed the hack attack.
EBay Inc. own Pay Pal with the two services intimately linked, what is not known is whether Pay Pal has been compromised as eBay customers often use the same username and password for both services.
The online retailer Bay has urged its 128 million users to change their passwords following the attack on their databases.
How hackers got into the system is that they were able to get access to a number of eBay employee login details, this allowed them to easily infiltrate the eBay network.
Today eBay is requesting that all users change their passwords.
Earlier today, a message was posted under the headline ‘eBay Inc. To Ask All eBay Users to Change Passwords’. The only text in the body of the post was ‘placeholder text.’ It was taken down within hours.
The online retailer who is working with a lot of mass retailers in Australia to shift old stock claims that it had no evidence of there being unauthorised activity on its members’ accounts.
EBay and Pay Pal also own Magento a retail platform that is used by Harvey Norman and Bing Lee as the backend for their online operations.
Security experts are warning hackers could still use personal details to commit identity fraud.
At this stage there is no evidence of unauthorised access or compromises to personal or financial information for PayPal users who are asked to supply copies of banking details, rate notes, and proof of occupation of a premises as well as driving licence before they can access to their money.
This same information is being collected in Australia by Dunn & Bradstreet who act as agents for Pay Pal and eBay.
Neither Pay Pal or Dunn and Bradstreet are saying how they secure this confidential information.
The company said it is encouraging any eBay user who used the same password on other sites to change those passwords too.
‘That is a serious concern,’ Graham Cluely from security firm Sophos told the Mail Online.
‘Obviously they’ve got hold of names, addresses and date of births. All of this can be used to commit identity fraud.
‘What we don’t know at the moment is how strongly eBay has encrypted its passwords and that could be a key issue.
‘If they have your password, and you have the same password for other websites, hackers could access your email, your bank account and who knows what else.’
Security experts are warning hackers could still use personal details to commit identity fraud
Users should be wary of anyone contacting them claiming to be eBay or any other company for that matter,’ warned Trey Ford, a global security strategist at Rapid7.
‘Expect an uptick in phishing, do not click on links in emails, or discuss anything over the phone. Call customer service instead or go directly to websites as you normally would.’
News of the hack attempt emerged overnight when a message was posted on PayPal under the headline ‘eBay Inc. To Ask All eBay Users To Change Passwords.’
The only text in the body of the post was ‘placeholder text’ and it was taken down within hours.
The Company now claim that they are working with law enforcement and leading security experts, and that they are aggressively investigating the matter and applying the best forensics tools and practices to protect customer,’ the group added.
The question now is “Are your credit cards details safe?”
The firm said that the infiltrated part of the network did not contain any financial details, so in theory, yes.
Will changing a password solve the problem?
Changing passwords will stop hackers from being able to use any login details that were stolen.
However, they could still use names, addresses and birth dates to commit identity fraud.
As a matter of course, it’s good practice to change all related passwords across different sites, including PayPal.
Early reports claimed the password change on eBay could be as a result of the worldwide Heartbleed security breach last month, but PayPal said at the time its servers weren’t at risk and had not been affected.
‘EBay workers could have been phished, using spyware installed on their computers or they could have been using old passwords,’ said Mr Cluely.
In January, a former Google software engineer, Naoki Hiroshima, published a blog post titled ‘My $50,000 Twitter Username Was Stolen Thanks to PayPal and GoDaddy’.
In it, he said a scammer used social engineering techniques to get PayPal and GoDaddy employees to release information that helped the scammer hijack his account.
‘I called PayPal and used some very simple engineering tactics to obtain the last four digits of your card,’ the scammer said.
However, eBay denied the allegation claiming its PayPal’s customer service agents were well trained to prevent social hacking attempts.
The California-based company has 128 million active users and accounted for $212 billion worth of commercial activities last year.
