Online marketplace eBay says it will urge users to change their passwords following a "cyberattack" impacting a database with encrypted passwords and non-financial data.
The database includes information such as customers' names, encrypted passwords, email and physical addresses, phone numbers and dates of birth. As of the end of their first quarter, the company has 145 million active buyers.
"It's substantial," says Simon Eappariello, senior vice president of engineering at iBoss Network Security. "If they're going to contact all of their users to change their passwords, that's a major breach in anyone's book. That's a lot of data."
"This is the new normal," said Avivah Litan, a security analyst with Gartner, a technology research company based in Stamford, Conn.
"It's part of a trend where criminals are going after credentials," she said. "We've seen a big rise in the use of stolen passwords at banks. The criminals are cycling through all these passwords they've stolen, trying to use them," she said.
At some point, "it could become pretty ominous. All this data's getting stolen—we have to assume it's eventually going to be used," said Litan. "The criminals are building big data stores with as much financial information as they can get. Who knows what they're doing with all of it?
In a statement released Wednesday, eBay says it has not found evidence of unauthorized activity or access to financial information, based on "extensive" tests. The company says financial data was not affected, pointing out credit card information is encrypted and stored separately from this database.
"We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace," a company statement said.
EBay is encouraging people who used the same password on other sites to change those credentials as well.
The company says it has seen no proof of unauthorized access to PayPal, its online payment service. "PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted," says the company.
The criminal groups behind these massive data breaches are typically out of Eastern Europe, Litan said. "They're very well organized. They've got black markets set up to sell this stolen merchandise. They distribute it around the world. And the data is sold a lot faster than it used to be."
While eBay has downplayed the breach because it didn't include financial information, the loss of an unknown number of passwords has the potential to compromise all websites, not just eBay, security experts say. That's because many consumers use the same password on multiple sites.
"The attackers will quickly take over accounts across the web wherever a user reused their username and password on another site," said Michael Coates, director of product security at Shape Security in Mountain View, Calif.
EBay also was using a more easily-cracked method for protecting the passwords it kept on file. There are two commonly used ways to secure passwords, encryption and hashing. EBay was using encryption, which is the more easily broken, said Coates.
"Encryption allows eBay, or anyone who access the decryption key, to decrypt and see your actual password. Password hashing allows eBay to check if the password you enter is correct or not, but doesn't allow eBay (or hackers) to get the plaintext of your actual password," he said.
The compromise, which happened between late February and early March, resulted from a cyberattack targeting a small group of employee log-in credentials. Emails will go out to users today to request changes to their passwords. The company says they will also employ additional security measures.
Forrester analyst Tyler Shields says it's concerning that it took eBay until earlier this month to uncover the breach. "From late February and March to just about two weeks ago is a LOT of time for an attacker to be roaming around your network and systems."
Trey Ford, security strategist with Rapid7, says attackers could use information taken from the database to pose as legitimate company representatives.
"Users should be wary of anyone contacting them claiming to be eBay or any other company for that matter," says Ford. "Expect an uptick in phishing, do not click links in email, or discuss anything over the phone."
The eBay breach is the latest in a series of attacks targeting customer data. Earlier this month, Target CEO Gregg Steinhafel stepped down months after hackers swiped financial information on 40 million customers. In April, AOL confirmed its email service had been hacked, with users complaining their accounts were sending spam to contacts.
Eric Chiu, president and co-founder of security firm HyTrust, says this cyberattack is more proof high-profile breaches like eBay and Target are occurring more frequently. "This is another wakeup call that organizations need to take an 'inside-out' approach to security and assume the bad guy is already on their network."