Graham Cluley had reported on his blog today morning that eBay had been probably been hacked and its users had been asked to reset their passwords.
In the same blog, Graham had given four probable reasons for this ‘password reset’ issue by eBay which were as follows :
- Some mischief-maker has managed to access PayPal’s blog and post a bogus headline. That wouldn’t be good news.
- There’s been an internal screw-up at PayPal, and someone has accidentally published a blog post (perhaps prepared during a crisis management exercise) claiming that all eBay passwords need to be reset. That wouldn’t be good news, but not as bad as an unauthorised party gaining access to the PayPal blog… or indeed as bad as a security breach
- PayPal has identified, or been responsibly informed of, a security issue that requires users to change their passwords as a precaution. That wouldn’t be good, but better than some scenarios.
- PayPal has had a security breach and is going to ask all of its users to change their passwords. Their announcement has been published a little before schedule, before they’d finished writing it. That wouldn’t be good.
Well it seems that Graham had put all his money where the mouth is. It was reason number 4 which made eBay initiate such elaborate password reset program for all its users. In a separate blog post, eBay confirmed that its database had indeed been compromised and the hackers may have had access to the database containing passwords and other non financial information. As of now eBay is not sure of the extent of the breach but it has given out following statement :
Extensive forensic research has shown no evidence of unauthorized access or compromise to personal or financial information for PayPal customers. PayPal customer and financial data is encrypted and stored separately, and PayPal never shares financial information with merchants, including eBay.
In addition to asking users to reset passwords, eBay Inc. said it will also encourage any eBay user who used the same password on other sites to change those, too.
From the last sentence it may be deduced that the hackers may have breached vital personal information and data of eBay users. Generally the confirmation emails ids and passwords are also saved in the same database as the eBay password. eBay breach may have lead to this data being in hands of the hackers.
As Graham rightly put it “Clearly eBay is concerned that the passwords in the compromise database – albeit encrypted – could easily be cracked or decrypted, and fall into the hands of malicious attackers.”
Techworm would request all the eBay users to kindly reset their eBay as well as the confirmation email passwords as soon as possible.