Ebay urges users to change passwords after database attack

Do you need to change your Ebay password? After some initial confusion, it turns out that users of the the ecommerce site should indeed log on and update their password after an encrypted database was compromised.

In a notice on its Paypal press site, Ebay said there was no evidence that account information had been compromised or accessed, but said it would contact customers to inform them of the incident.

The attack hit an Ebay database containing encrypted passwords, and non-financial information such as customers’ name, email addresses, physical addresses, phone numbers and dates of birth, between late February and early March. Evidence of the intrusion into the corporate network was uncovered about two weeks ago, and the company had been working to identify the affected databases before alerting customers.

A blog post on the Ebay site said the attackers had gained access to a small number of employee log-in credentials, which allowed them to access the corporate network.

“Extensive forensic research has shown no evidence of unauthorised access or compromise to personal or financial information for Paypal customers,” the statement said. “Paypal customer and financial data is encrypted and stored separately, and Paypal never shares financial information with merchants, including Ebay.”

Users can expect to be contacted by Ebay directly within the next 24 hours.

“Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers,” the Ebay blog post said.

A message appeared earlier today on the Paypal community website urging shoppers to change passwords, but it was later removed, causing confusion among users.

The message was headlined “Ebay Inc to ask all Ebay users to change passwords” but had no other information other than the words “place holder text”.

The latest security breach comes only a matter of weeks after websites across the world were hit by the Heartbleed vulnerability. A patch to fix the vulnerability, which was found in a commonly used security standard on the internet, was released last month.