Hackers raid EBay in historic breach, access 145 million records

By Jim Finkle, Soham Chatterjee and Lehar Maan, Reuters

Posted at May 22 2014 10:28 AM | Updated as of May 22 2014 11:58 PM

(UPDATE) EBay Inc said that hackers raided its network three months ago, stealing some 145 million user records from a database in what is poised to go down as one of the biggest data breaches in history based on the number of accounts compromised.

It advised customers to change their passwords immediately, saying they were among the pieces of data stolen by cyber criminals who carried out the attack carried out between late February and early March.

EBay spokeswoman Amanda Miller told Reuters those passwords were encrypted and that the company had no reason to believe the hackers had broken the code that scrambled them.

"There is no evidence of impact on any eBay customers," Miller said. "We don't know that they decrypted the passwords because it would not be easy to do."

She said the hackers copied a massive user database that contained those passwords, as well as email addresses, birth dates, mailing addresses and other personal information, but not financial data such as credit card numbers.

The company had earlier said a large number of accounts may have been compromised, but declined to say how many


Security experts advised EBay customers to be on the alert for fraud, especially if they used the same passwords for other accounts.

"This is not a breach that only hurts EBay. This is a breach that hurts all websites," said Michael Coates, director of product security with Shape Security.

He said that companies typically only ask users to change passwords if they believes there is a reasonable chance attackers may unscramble encrypted passwords.

Once the passwords are unscrambled, attackers could use automated software that seeks to log into thousands of popular services, including Facebook, Twitter, popular email services and online banking sites, he said.

EBay spokeswoman Amanda Miller said the company was making the request "out of an abundance of caution" and that it used "sophisticated," proprietary hashing and salting technology to protect the passwords.

Amit Yoran, senior vice president of EMC Corp's RSA security division, said that cyber criminals sometimes take data from multiple breaches, combining them into detailed portfolios that fraudsters can use for scams.

"We are seeing a level of sophistication in the cybercrime world where they are able to pull data from multiple exploits to create stronger profiles of individuals," Yoran said. "The more detailed information fraudsters have, the better their ability to successfully perpetrate fraud."


EBay said its investigation of the breach is ongoing, with assistance from law enforcement.

"For the time being, we cannot comment on the specific number of accounts impacted," eBay spokeswoman Kari Ramirez said. "However, we believe there may be a large number of accounts involved."

The company said it had not seen any indication of increased fraudulent activity on eBay and that there was no evidence its PayPal online payment service had been breached.

EBay provided little information about how the hackers got in. It said they obtained login credentials for "a small number" of employees, allowing them to access eBay's corporate network.

It said it discovered the breach in early May and immediately brought in security experts and law enforcement to investigate.

"We worked aggressively and as quickly as possible to insure accurate and thorough disclosure of the nature and extent of the compromise," Miller said when asked why the company had not immediately notified users.

When asked who was behind the attack, she said: "We will not speculate on who is responsible at this time."


Research analysts said there was not enough information available to assess whether eBay had been negligent.

"The real key question going forward will be if any money has been stolen, or any unauthorized activity been performed," Wedbush Securities analyst Gil Luria said. "As long as this is not the case, this thing will come and go and will not be an issue for eBay."

Security experts say that virtually every major corporation, government agency and other organization has been hacked at one time.

They say it is almost impossible to prevent hackers from getting into networks using social engineering techniques such as sending carefully crafted phishing emails that lure targets to tainted websites or entice them to click on malicious links. In some cases they infect websites frequented by their targets, such as the sandwich shop of a local restaurant or professional organizations.

EBay's shares fell as low as $50.30 in early trading on the Nasdaq before recovering to $51.83 in late afternoon.

EBay has been attacked before. In February, the Syrian Electronic Army hacking group breached and defaced websites belonging to PayPal UK and eBay.

One of the biggest breaches at a U.S. company was at retailer Target Corp, where hackers last year stole some 40 million credit card numbers and another 70 million customer records.

Last month, U.S. web media company AOL Inc urged its tens of millions of email account holders to change their passwords and security questions, saying a cyber attack compromised about 2 percent of its accounts.