Online marketplace eBay says it will urge users to change their passwords following a “cyberattack” impacting a database with encrypted passwords and non-financial data.
The database includes information such as customers’ names, encrypted passwords, email and physical addresses, phone numbers and dates of birth.
EBay also was using a more easily-cracked method for protecting the passwords it kept on file. There are two commonly used ways to secure passwords, encryption and hashing. EBay was using encryption, which is the more easily broken, said Coates.
“Encryption allows eBay, or anyone who access the decryption key, to decrypt and see your actual password. Password hashing allows eBay to check if the password you enter is correct or not, but doesn’t allow eBay (or hackers) to get the plaintext of your actual password,” he said.
In addition to passwords, the database contained basic login information like name, email, phone number, address and date of birth, but officials stressed that, aside from the passwords, no confidential or personal information was included in the breach.
That’s an odd way of putting it, since those pieces of data are exactly what show up on the “Personal Information” page of my eBay account.
Update (2014-05-25): eBay:
All eBay users are being asked to change their password. All eBay users will be notified. At the end of Q1, we had 145 million active buyers.
The online auction site eBay has admitted that the name, address, date of birth, telephone number, email address and encrypted password of every eBay account holder worldwide – 233 million people – have been obtained by hackers, in one of the world’s largest ever online security breaches.
Update (2014-05-26): I finally received an e-mail from eBay recommending that I reset my password.
Stay up-to-date by subscribing to the Comments RSS Feed for this post.