eBay yesterday posted a notice on its corporate website (where almost no one will see it), to advise that its user database was stolen by hackers in February or March of this year.
Update (27 May 2014): eBay has begun to send emails notifying its users of the incident. The notification downplays the seriousness of the loss of persionally identifiable information, but it does a decent job of warning users of the risk to their password security.
This database contained usernames, encrypted passwords, email addresses, physical addresses, phone numbers, and dates of birth. eBay has not specified the form of encryption it used for the passwords, so it is impossible to know how resistant these passwords will be to decryption; however, it is safe to say (as in most cases with encrypted passwords) that weak passwords will be easily decrypted by hackers.
eBay will require all of its users to change their passwords, and you should certainly do this if you have an eBay account; however, you should also change your password on any other websites where you were using the same password. As always, Should I Change My Password recommends that you use a different password for every website you use. Password management tools like LastPass and 1Password make this easy to do.
The personally identifiable information included in the stolen database should be of equal concern. Data like physical addresses, phone numbers, and dates of birth make identity theft using this data very likely. Should I Change My Password encourages all eBay users to remain vigilant for signs of unusual activity in their various accounts (both online and offline).
As always, Should I Change My Password has been monitoring online services where hackers post stolen data. So far we have located two claimed data extracts from this breach, posted by hackers offering to sell the full database. eBay has denied that these extracts are authentic; however, we have added the email addresses from these extracts to our database, since they did not appear to have been taken from any previous breach data that we have seen.
Should I Change My Password will continue to monitor for signs of data from this and other site breaches. If you haven’t already, be sure to sign up to Should I Change My Password’s Email Watchdog so we can notify you instantly if your email address is found in any of Chief Technology Officer, Should I Change My Password the breach data we locate.
Best wishes,
Kevin Yank