eBay announced this morning that they’ve been hacked and that “encrypted passwords and other non-financial data” have been compromised. They’re expected to begin notifying their customer base later today, which will include a suggestion for users to change their passwords. The company says that PayPal, an eBay subsidiary, uses its own servers and was not affected by the attack.
According to CNET, the first public news of the compromise came by way of a cryptic blog posting by PayPal:
“…eBay-owned PayPal posted a blog entitled ‘eBay, Inc. to Ask All eBay users to Change Passwords.’ The blog post included nothing but the title, but quickly hit the Web after it was retweeted dozens of times. The blog post was then taken down from PayPal’s site, causing even more confusion for users of the online auction house.”
According to a posting on the eBay blog, the attack occurred several months ago.
“The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.”
The post does not indicate when eBay first became aware of the intrusion nor does it explain why the public is only now being notified of the security problem. They do say that they’ve seen no evidence that any user accounts have been compromised and indicated that they are suggesting the password changes as a precautionary measure.