zW2Ig~~60_7.JPG "brandeentertainment"){kind=avatar}
eBay asks users to change password following cyberattack, no evidence of unauthorized activity
The Associated Press, at 09:48 on May 21, 2014, EDT.
SAN JOSE, Calif. - E-commerce site eBay is asking users to change their password after a cyberattack compromised a database containing encrypted passwords.
The company says there is no evidence of any unauthorized activity and there is no evidence any financial or credit card information was stolen.
eBay says its investigation is active and it can't comment on the specific number of accounts affected, but says the number could be large.
Cyber attackers stole a small number of employee log-in creditials that gave them access to eBay's corporate network. The San Jose, California-based company is working with law enforcement to investigate the attack.
The database was hacked sometime between late February and early March.
eBay owns electronic payment service PayPal, but eBay says there is no evidence PayPal information was hacked.
BOSTON (Reuters) - eBay Inc said that hackers raided its network three months ago, accessing some 145 million user records in what is poised to go down as one of the biggest data breaches in history, based on the number of accounts compromised.
It advised customers to change their passwords immediately, saying they were among the pieces of data stolen by cyber criminals who carried out the attack between late February and early March.
eBay spokeswoman Amanda Miller told Reuters late on Wednesday that those passwords were encrypted and that the company had no reason to believe the hackers had broken the code that scrambled them.
"There is no evidence of impact on any eBay customers," Miller said. "We don't know that they decrypted the passwords because it would not be easy to do."
She said the hackers gained access to 145 million records of which they copied "a large part". Those records contained passwords as well as email addresses, birth dates, mailing addresses and other personal information, but not financial data such as credit card numbers.
Miller also said the company has hired FireEye Inc's Mandiant forensics division to help investigate the matter. Mandiant is known for publishing a February 2013 report that described what it said was a Shanghai-based hacking group linked to the Peoples Liberation Army.
eBay earlier said a large number of accounts may have been compromised, but declined to say how many.
Security experts advised eBay customers to be on the alert for fraud, especially if they used the same passwords for other accounts.
"People need to stop reusing passwords and should change their affected passwords immediately across all the sites where they are used," said Trey Ford, global security strategist with cybersecurity firm Rapid7.
Michael Coates, director of product security with Shape Security, said there is a significant risk that the hackers would unscramble the passwords because typically companies only ask users to change passwords if they believe there is a reasonable chance attackers may be able to do so.
Still, eBay said it had not seen any indication of increased fraudulent activity on its flagship site and that there was no evidence its PayPal online payment service had been breached.
eBay said the hackers got in after obtaining login credentials for "a small number" of employees, allowing them to access eBay's corporate network.
It discovered the breach in early May and immediately brought in security experts and law enforcement to investigate, Miller said.
"We worked aggressively and as quickly as possible to insure accurate and thorough disclosure of the nature and extent of the compromise," Miller said when asked why the company had not immediately notified users.
The breach could go down as the second-biggest in history at a U.S. company, based on the number records accessed by the hackers.
Computer security experts say the biggest such breach was uncovered at software maker Adobe Systems Inc in October 2013, when hackers accessed about 152 million user accounts.
It would be larger than the one that Target Corp disclosed in December of last year, which included some 40 million payment card numbers and another 70 million customer records.
(This version of the story corrects the first, fifth and third-to-last paragraph after company corrects its statement to say that 145 million records were accessed, but hackers only copied "a large part" of that database. Story originally said that hackers copied the entire database.
"Could an eBay employee comment..."
I do not mean to be sarcastic but eBay cancelled the weekly "board hour" yesterday so its staff would not have to address this issue. They are busy dealing with the problems internally.
It may take some time before eBay gives its members a full account of the problem, if it ever does. Do not hold your breath as eBay does not have a reputation for candour.
So, nothing has actually gone wrong? Hackers really only got encrypted files? Files they can't do anything with?
How is this "bigger" than Target since nothing of real value was taken. That which was taken can't be used?
How is this "bigger" than Target since nothing of real value was taken. That which was taken can't be used?
Financial Times:
Lessons from the eBay cyber attack
Breach of online auction company raises tough questions
U.S. states probe eBay cyber attack as customers complain
BOSTON/NEW YORK (Reuters) - EBay Inc came under pressure on Thursday over a massive hacking of customer data as three U.S. states began investigating the e-commerce company's security practices.
Connecticut, Florida and Illinois said they are jointly investigating the matter. New York Attorney General Eric Schneiderman requested eBay provide free credit monitoring for everyone affected.
Details about what happened are still unclear because eBay has provided few details about the attack. It is also unclear what legal authority states have over eBay's handling of the matter.
The states' quick move shows that authorities are serious about holding companies accountable for securing data following high-profile breaches at other companies, including retailers Target Corp, Neiman Marcus and Michaels and credit monitoring bureau Experian Plc.
Congress and the Federal Trade Commission are investigating the Target breach, which resulted in the firing of the company's chief executive and its chief information officer.
"There is definitely a climate shift," said Jamie Court, president of the advocacy group Consumer Watchdog. "The departure of the Target CEO over the problem signals inside the board room and in the halls of government that these are betrayals of customers and that they won't be tolerated."
For more: http://finance.yahoo.com/news/hackers-raid-ebay-historic-breach-025624664.html
eBay initially believed user data safe after cyberattack
BOSTON/SAN FRANCISCO (Reuters) - eBay Inc initially believed that its customers' data was safe as forensic investigators reviewed a network security breach discovered in early May and made public this week, a senior executive told Reuters on Friday.
eBay has come under fire over its handling of the cyberattack, in which hackers accessed personal data of all 145 million users, ranking it among the biggest such attacks launched on a corporation to date.
"For a very long period of time we did not believe that there was any eBay customer data compromised," global marketplaces chief Devin Wenig said, in the first comments by a top eBay executive since the e-commerce company disclosed the breach on Wednesday.
eBay moved "swiftly to disclose" the breach after it realized customer data was involved, he said. Wenig would not say when the company first realized that the cyberattackers accessed customer data, nor how long it took to prepare Wednesday's announcement.
He said hackers got in using the credentials of three corporate employees, eventually making their way to the user database.
Hackers accessed email addresses and encrypted passwords belonging to all eBay users. "Millions" of users have since reset their passwords and the company had begun notifying users, though it would take some time to complete that task, Wenig said.
"You would imagine that anyone who has ever touched eBay is a large number," he said. "So we're going to send all of them an email, but sending that number all at once is not operationally possible."
At least three U.S. states are investigating the company's security practices. Customers have complained on social media about delayed notification emails. And New York's attorney general called on eBay to provide free credit monitoring services to users.
But the Internet retail giant has no plans to compensate customers or offer free credit monitoring for now because it had detected no financial fraud, Wenig said.
Wenig declined comment when asked if he thought eBay had good security prior to the breach. He said the company would now bolster its security systems, and has mobilized senior executives in a subsequent investigation of the attack.
"We want to make sure it doesn't happen again so we're going to continue to look our procedures, harden our operational environment and add levels of security where it's appropriate."
For more: http://finance.yahoo.com/news/exclusive-ebay-did-not-initially-200530180.html
"these three could be in big trouble"
No three employees should have access to a totally unprotected database for hundreds of millions of users. The problem is with senior management and board of directors who did not authorize the spending to properly protect the databases containing its members personal information.
Received this message from eBay this afternoon:
Important - eBay Password Reset Required
IMPORTANT: PASSWORD UPDATE
DEAR EBAY MEMBER,
TO HELP ENSURE CUSTOMERS' TRUST AND SECURITY ON EBAY, I AM ASKING ALL
EBAY USERS TO CHANGE THEIR PASSWORDS.
HERE'S WHY: RECENTLY, OUR COMPANY DISCOVERED A CYBERATTACK ON OUR
CORPORATE INFORMATION NETWORK. THIS ATTACK COMPROMISED A DATABASE
CONTAINING EBAY USER PASSWORDS.
WHAT'S IMPORTANT FOR YOU TO KNOW: WE HAVE NO EVIDENCE THAT YOUR
FINANCIAL INFORMATION WAS ACCESSED OR COMPROMISED. AND YOUR PASSWORD
WAS ENCRYPTED.
WHAT I ASK OF YOU:
GO TO EBAY AND CHANGE YOUR PASSWORD. CHANGING YOUR PASSWORD MAY BE
INCONVENIENT. I REALIZE THAT. WE ARE DOING EVERYTHING WE CAN TO
PROTECT YOUR DATA AND CHANGING YOUR PASSWORD IS AN EXTRA PRECAUTIONARY
STEP, IN ADDITION TO THE OTHER SECURITY MEASURES WE HAVE IN PLACE.
IF YOU HAVE ONLY VISITED EBAY AS A GUEST USER, WE DO NOT HAVE A
PASSWORD ON FILE.
IF YOU USED THE SAME EBAY PASSWORD ON ANY OTHER SITE, I ENCOURAGE YOU
TO CHANGE YOUR PASSWORD ON THOSE SITES TOO. AND IF YOU ARE A PAYPAL
USER, WE HAVE NO EVIDENCE THAT THIS ATTACK AFFECTED YOUR PAYPAL
ACCOUNT OR ANY PAYPAL FINANCIAL INFORMATION, WHICH IS ENCRYPTED AND
STORED ON A SEPARATE SECURE NETWORK.
HERE ARE OTHER STEPS WE ARE TAKING:
* AS ALWAYS, WE HAVE STRONG PROTECTIONS IN PLACE FOR BOTH BUYERS AND
SELLERS IN THE EVENT OF ANY UNAUTHORIZED ACTIVITY ON YOUR ACCOUNT.
* WE ARE APPLYING ADDITIONAL SECURITY TO PROTECT OUR CUSTOMERS.
* WE ARE WORKING WITH LAW ENFORCEMENT AND LEADING SECURITY EXPERTS
TO AGGRESSIVELY INVESTIGATE THE MATTER.
HERE'S WHAT WE KNOW: THIS ATTACK OCCURRED BETWEEN LATE FEBRUARY AND
EARLY MARCH AND RESULTED IN UNAUTHORIZED ACCESS TO A DATABASE OF EBAY
USERS THAT INCLUDES CUSTOMERS' NAME, ENCRYPTED PASSWORD, EMAIL
ADDRESS, PHYSICAL ADDRESS, PHONE NUMBER AND DATE OF BIRTH.
HOWEVER, THE FILE DID NOT CONTAIN FINANCIAL INFORMATION. AND, AFTER
CONDUCTING EXTENSIVE TESTING AND ANALYSIS OF OUR SYSTEMS, WE HAVE NO
EVIDENCE THAT ANY CUSTOMER FINANCIAL OR CREDIT CARD INFORMATION WAS
INVOLVED. WE ALSO HAVE NO INDICATION OF A SIGNIFICANT SPIKE IN
FRAUDULENT ACTIVITY ON OUR SITE.
WE APOLOGIZE FOR ANY INCONVENIENCE OR CONCERN THAT THIS SITUATION MAY
CAUSE YOU. AS A GLOBAL MARKETPLACE, NOTHING IS MORE IMPORTANT TO EBAY
THAN THE SECURITY AND TRUST OF OUR CUSTOMERS. WE KNOW OUR CUSTOMERS
HAVE HIGH EXPECTATIONS OF US, AND WE ARE COMMITTED TO ENSURING A SAFE
AND SECURE ONLINE EXPERIENCE FOR YOU ON ANY CONNECTED DEVICE.
DEVIN WENIG
PRESIDENT, EBAY MARKETPLACES
==========================================================================
You would think eBay knows better than sending a message in block letters!
