The Washington PostDemocracy Dies in Darkness

eBay asks 145 million users to change passwords after data breach

Placeholder while article actions load

Online commerce giant eBay asked users to change their passwords Wednesday after hackers stole encrypted passwords and other personal information, including names, e-mail addresses, physical addresses, phone numbers and dates of birth.

The data breach occurred between late February and early March, according to a press statement posted on the company's Web site Wednesday.

"Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network," the company said. The company added that it is working with law enforcement and security experts to investigate the breach and has not noticed any fraudulent activity related to the incident.

EBay spokeswoman Amanda Miller said the company is asking all of its 145 million active users to change their passwords as a "precautionary measure," but is not sure how many accounts were compromised in the breach. No financial information, including credit card numbers, were stolen, she said.

Paypal information was also safe, the company said, because it was encrypted and stored on a different network. "We have no evidence that any customer financial information, such as taxpayer IDs, or credit card numbers were accessed," Miller said.

That makes the breach less serious than the cybsercurity incident that rocked Target last Winter, Miller said. In the Target breach, hackers were able to steal information on up to 110 million customers during the holiday shopping season, including the financial information of up to some 40 million people.

According to Miller, eBay discovered the breach in early May, meaning it went unnoticed for about a month. The company spent a few weeks investigating the incident before disclosing it to the public.

"Organizations are under considerable pressure to disclose a breach quickly," says Trey Ford, a global security strategist at cybersecurity firm Rapid7. "I think this pressure complicates the already considerable challenge of confidently drawing a box around what was compromised and confirming the attacker’s access and influence has been eliminated, making sure they will not return."

The site's users should heed eBay's request to change their passwords, Ford says, because the hackers will eventually be able to break the encryption that secures them. "Users that use their eBay password elsewhere should immediately go change that password on other sites – especially their e-mail," he added.