The Washington Post

eBay asks 145 million users to change passwords after data breach

[posttv url="" ]

Online commerce giant eBay asked users to change their passwords Wednesday after hackers stole encrypted passwords and other personal information, including names, e-mail addresses, physical addresses, phone numbers and dates of birth.

The data breach occurred between late February and early March, according to a press statement posted on the company's Web site Wednesday.

"Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network," the company said. The company added that it is working with law enforcement and security experts to investigate the breach and has not noticed any fraudulent activity related to the incident.

EBay spokeswoman Amanda Miller said the company is asking all of its 145 million active users to change their passwords as a "precautionary measure," but is not sure how many accounts were compromised in the breach. No financial information, including credit card numbers, were stolen, she said.

Paypal information was also safe, the company said, because it was encrypted and stored on a different network. "We have no evidence that any customer financial information, such as taxpayer IDs, or credit card numbers were accessed," Miller said.

That makes the breach less serious than the cybsercurity incident that rocked Target last Winter, Miller said. In the Target breach, hackers were able to steal information on up to 110 million customers during the holiday shopping season, including the financial information of up to some 40 million people.

According to Miller, eBay discovered the breach in early May, meaning it went unnoticed for about a month. The company spent a few weeks investigating the incident before disclosing it to the public.

"Organizations are under considerable pressure to disclose a breach quickly," says Trey Ford, a global security strategist at cybersecurity firm Rapid7. "I think this pressure complicates the already considerable challenge of confidently drawing a box around what was compromised and confirming the attacker’s access and influence has been eliminated, making sure they will not return."

The site's users should heed eBay's request to change their passwords, Ford says, because the hackers will eventually be able to break the encryption that secures them. "Users that use their eBay password elsewhere should immediately go change that password on other sites – especially their e-mail," he added.

Andrea Peterson covers technology policy for The Washington Post, with an emphasis on cybersecurity, consumer privacy, transparency, surveillance and open government.
Show Comments

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.