eBay slammed over slow post-cyber attack password reset response

eBay sign

eBay has come under fire for not alerting users their passwords may have been compromised by cyber attackers as soon as details of the breach came to light.

eBay confirmed that a company database containing its members' passwords has been compromised yesterday, prompting the firm to call on users to update their site login credentials.

The internet auction giant said in a statement that it had been the victim of a cyber attack that resulted in encrypted passwords and other "non-financial" data being accessed. This includes details of users' home addresses, phone numbers, birthdays and email addresses.

The attack is thought to have happened sometime between late February and early March but only came to light a fortnight ago, the company said.

The latter point has seen the firm's cyber security response come under fire from a slew of industry watchers, who have queried why it took the firm so long to alert users.

Despite the company publishing a statement, instructing users to update their passwords, a message to this effect has only appeared on the eBay home page today.

David Robinson, chief security officer at Fujitsu UK and Ireland, said the case highlights the need for companies of all shapes and sizes to deploy robust threat detection tools.

"It seems that not a week goes by that we don't see a data breach of one type of another. Over the last few months, we have seen many high profile companies affected by these types of attacks, and eBay is the latest company in the spotlight," said Robinson.

"The fact that this breach was able to go unnoticed for a number of weeks is testament to the fact that companies need to be doing more as the cyber-criminal industry continues to evolve."

Although, David Emm, senior security researcher at Kaspersky Lab, said users should be more concerned about the fact it took several months for eBay to detect the breach.

"The fact that this attack took place two to three months ago means the attackers have had additional time with which to attempt to decrypt the stolen passwords as well as make use of the other personal data. While it might seem as though eBay has been slow to respond, if the company has only just discovered the full extent of the attack, it is now doing the right thing by notifying customers in a timely manner," he said.

The perpetrators reportedly gained access to the database by stealing a "small number" of employee log-in credentials, eBay has revealed, which allowed them to gain unlawful access to its corporate network.

"Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers," a company statement reads.

However, eBay has been quick to stress that it has uncovered no evidence the attack has resulted in the unauthorised use of its members' accounts or that any credit card data has been accessed at this time.

Even so, the company is urging all of its members to change their passwords as a matter of urgency.

"Information security and customer data protection are of paramount importance to eBay... [and the company] regrets any inconvenience or concern this password reset may cause our customers," the statement adds.

"We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace."

The company has also confirmed that it has no reason to believe the attackers also accessed data from online payment provider PayPal, which eBay acquired in 2002 and is used by the vast majority of its users to carry out transactions.

"PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted," it added.

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.