In what is one of the largest data breaches in history, eBay has gone public with the news that they have been the victims of a data breach that resulted in 145 million customer records being exposed.
As a result of the breach, eBay has posted a message on their front page urging all customers to change their passwords.
This attack is bigger than the well-known Target data breach which happened last year, and resulted in the exposure of 40 million credit cards and 110 million user records. That data breach led to the resignation of Target CEO Gregg Steinhafel.
While the eBay breach did not lead to the exposure of financial information, which is encrypted and stored on PayPal, or any fraudulent activity yet, the user information exposed had not been encrypted by eBay.
What Was Exposed and How It was Done
EBay has reported that the exposed information includes customer names, home addresses, email addresses, phone numbers and birthdays – all information that could be used by hackers to commit identity theft. It also included user passwords, although they were encrypted by eBay. It remains unclear if the methods eBay used to encrypt user passwords was enough to safeguard them.
This is exactly the kind of information that criminals who commit identity theft want. They can use this information to commit phishing attacks, where they send you email containing malicious links or links to fake websites that ask you to enter their password.
EBay only found out about the breach two weeks ago, but discovered that it actually started in February, which means that hackers have had access to user accounts for over three months.
Hackers were able to gain access to the user data by breaking into a database containing the information. EBay found out that their servers had been breached when members of their security department found that hackers had stolen the user credentials of several employees and used them to copy a database containing user information on all of the company’s 145 million customers.
Once they knew their servers had been breached, eBay contacted the FBI’s San Francisco office and a computer forensics firm and discovered that the breach had happened over three months ago.
As a result of the breach, Connecticut, Florida, and Illinois are investigating the matter.
How You Can Protect Yourself
First of all, if you have an eBay account, you should go in there immediately and change your password.
But this may not be enough. Unfortunately, if the hackers were able to decrypt the passwords, any other account in which you used the same passwords is also exposed.
So if you used your eBay password on another account, you should immediately change that one as well.
Below are four tips to keep in mind when you’re changing your passwords:
- Change your passwords often: A good rule of thumb is at least once every six months.
- Choose a complicated phrase: Use an actual sentence with spaces in between words, like “Peyton Manning is my favorite quarterback” or “New York City is cold in the winter.” It’s easy to remember a phrase like that, but a hacker would only see a forbiddingly long password sequence.
- Use a complex password: Another good idea is to use numbers and special characters (such as “&” and “%”). Use both upper and lowercase letters as well. Some websites actually require such a mix of characters.
- Use a free online password generator: A free password generator like LastPass generates random passwords and then stores them for you so you don’t have to remember all of them. And it gets you out of the habit of using the same password for all of your online accounts.