Auction site eBay has urged users to change their passwords after suffering what may have been the biggest-ever cyber-attack when hackers broke into a database holding its 233m customers’ personal data.
EBay said the breach, which was detected two weeks ago, had not given the hackers access to customers’ financial information. But it did affect a database holding encrypted passwords as well as customer names, email addresses, physical addresses, phone numbers and dates of birth which were not encrypted.
The site has 233 million customers worldwide, including more than 14 million active in Britain.
In a statement, the auction site said that a database was compromised between late February and early March. PayPal, the payment arm of eBay, released a statement saying it was not affected and that financial information had not been compromised.
“The scope for damage is absolutely huge and could be the biggest hack of all time, given the number of users eBay has,” said Rik Ferguson, global vice president of security research at security software firm Trend Micro.
While financial information was protected the personal information exposed in the compromise was “neatly packaged information that is worth a lot to cybercriminals and though eBay claims that financial information was not compromised we shouldn’t be reassured by these statements,” said Professor Alan Woodward from the department of computing at the University of Surrey.
“It is inexcusable for a company the size of eBay with the amount of data it holds to not encrypt all personal information held and to not constantly be at the forefront of security technology,” Ferguson agreed. “It should not have taken them three months to notice a break-in like this.”
Exposure of personal information such as postal addresses and dates of birth puts users at risk of identity theft, where the data is used to claim ownership of both online and real world identities. Users are also at risk of phishing attacks from malicious third-parties, which use the private details to trick people into handing over bank account, credit card or other sensitive information.