EBay asks users to change passwords after breach

San Jose, Calif. - EBay Inc. is asking EBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data. After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for EBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats.



Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to EBay's corporate network, the company said. Working with law enforcement and leading security experts, EBay is investigating the matter and applying forensics tools and practices to protect customers.



The database, which was compromised between late February and early March 2014, included EBay customers' name, encrypted password, email address, physical address, phone number and date of birth. However, EBay said the database did not contain financial information or other confidential personal information. The compromised employee log-in credentials were first detected about two weeks ago, and forensics subsequently identified the compromised EBay database.



The company said it has seen no indication of increased fraudulent account activity on EBay and has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.



Beginning May 21, EBay users will be notified via email, site communications and other marketing channels to change their password. In addition to asking users to change their EBay password, the company said it also is encouraging any eBay user who utilized the same password on other sites to change those passwords, as well.