eBay customers have started to receive emails advising them to change their passwords. Their user names and passwords have been obtained by hackers, and a new password must be set for security reasons.

Unfortunately for many eBay account holders, the requests to change passwords have not been sent by eBay, but by phishers. The emails contain a link to a website which looks like eBay, but it isn’t. It is a fake website devised to get users to reveal their current passwords. This sneaky phishing campaign is likely to catch out many eBay account holders.

Data breach was suffered, but not identified for 2 months

In late February/early March, three employees of eBay had their login credentials compromised in a cyberattack. The cybercriminals used the login credentials to access a database containing the names of 233 million site users. Phone numbers, addresses, email addresses, dates of birth, and customer names were stolen, along with encrypted passwords.

In early May, eBay became aware of the breach, two months after it occurred. The company then waited a couple of weeks to make the announcement. The delay was because eBay didn’t realize that account information had actually been stolen. It took the best part of a month to realize data were actually stolen in the attack. Fortunately, PayPal information was not compromised and neither was any financial information.

A breach that does not involve bank account details or credit card information being exposed can still be serious and, in this instance, eBay account holders are at risk.

Passwords may have been encrypted but hackers I’ll be able to guess some as they have a lot of personal data. Dates of birth for example. They are often used as passwords. Since email addresses were obtained, the victims that have not had their passwords guessed are now being spammed with phishing campaigns.

Most customers will be aware of the exposure of their data and as a result, they may believe the phishing emails to be genuine. If they do, they will inadvertently reveal their passwords when they attempt to change them.

Investigations launched into the eBay data breach

Investigations into the eBay data breach have now been launched by state attorneys general in three States – Connecticut, Illinois and Florida. In Europe investigations are also being conducted. The attorney general of New York has spoken out about his expectations. He believes credit protection services should be offered to breach victims without charge. At the present moment in time, eBay has no plans to offer any risk remediation services to customers.

eBay has been criticized for the slow identification of the breach, as well as the slow response when it was discovered. Initially there were no victims, then there were 145 million. eBay finally settled on 233 million accounts.

It may not be a problem for spammers to send 233 million emails, but for eBay that has taken some time. The company tweeted news of the breach, but email notifications took a considerable amount of time to be sent. This may have resulted in more individuals responding to the phishing requests.

eBay breach victims must exercise caution

A data breach of this magnitude, affecting a company as large as eBay, is worrying. How good were the security measures it had in place? Why was the phishing campaign not identified before three people responded? Why were the phishing emails not blocked and prevented from being delivered? Only time will tell.

Since information has been compromised, and hackers are now attempting to guess passwords based on the personal data they have acquired, it is a wise security precaution for account holders to login to the site directly and change their passwords. They should not respond to an email, as it may be a phishing campaign.