Hackers stole some 145 million user records from eBay servers in what is poised to go down as one of the biggest data breaches in history.
The online auction site advised customers to change their passwords immediately, saying they were among the pieces of data stolen by cyber criminals who carried out the attack between late February and early March.
The breach gave the hackers access to 145 million records of which they copied "a large part". Those records contained passwords as well as email addresses, birth dates, mailing addresses and other personal information, but not financial data such as credit card numbers.
Spokeswoman Amanda Miller told Reuters early this morning that those passwords were encrypted and that the company had no reason to believe the hackers had cracked the code that scrambled them.
"There is no evidence of impact on any eBay customers," Miller said. "We don't know that they decrypted the passwords because it would not be easy to do."
But Michael Coates, director of product security with Shape Security, said there is a significant risk that the hackers would unscramble the passwords because typically companies only ask users to change passwords if they believe there is a reasonable chance attackers may be able to do so.
Miller said the company has hired FireEye's Mandiant forensics division to help investigate the matter. When asked why the company had not immediately notified users she said: "We worked aggressively and as quickly as possible to insure accurate and thorough disclosure of the nature and extent of the compromise."
The breach could go down as the second-biggest in history at a US company, based on the number records accessed by the hackers, coming a close second to the breach at software maker Adobe Systems in October 2013, when hackers accessed about 152 million user accounts.
It would be larger than the one that Target disclosed in December of last year, which included some 40 million payment card numbers and another 70 million customer records.
Wieland Alge, EMEA general manager of IT security firm Barracuda Networks, said the attack showed that overinvesting in state-of-the-art perimeter defences was pointless if companies allowed their employees to leave a back door open for hackers.
“Today, more than ever before, we have to operate in a zero trust environment,” he said. “Collective mistrust is no longer a sign of paranoia but has become a guiding principle of IT.
“Every application and every piece of hardware can now be hacked so IT security has to mistrust everything and everyone. Not customers, not governments and especially not employees. They hold the key to so much and the stakes are so high.”