Why did eBay take so long to reveal attack?Comment on this story
London - Online auction site eBay has been blasted for an “inexcusable delay” in taking action after it was revealed that its servers were hacked three months ago - compromising the personal details of 15 million British users.
The email, home addresses, passwords, phone numbers and birth dates of every eBay account holder - 233 million worldwide - are now in the hands of the hackers.
The company has told users to urgently change their passwords amid the biggest criminal raid ever carried out online.
It has been revealed that hackers accessed eBay databases by using the accounts of company employees as long ago as February.
MPs have rounded on the American company for the “inexcusable delay” in informing its customers.
Keith Vaz, the chairman of the Commons home affairs select committee, told the Telegraph: “We have urged companies to take much more seriously the threat of hacking. It is inexcusable that a company as important as eBay has failed to inform its customers immediately that this has occurred. We need a full explanation.
“We will be writing to them to ask how this happened and whether this problem has been resolved.”
In a statement on their website, the US auction site said it was asking all its users to reset their passwords after an attack “compromised a database containing encrypted passwords and other non-financial data”.
Often consumers use their eBay password for a host of other websites, including their banks, so they may also need to make changes to these to protect their accounts from being hijacked.
Paul Martini, the chief executive at iboss Network Security, said that the online auction site was the '“olden goose of hacking targets” due to the sheer amount of information which is held.
He said that the damage could have already been done and warned that while hackers may not be taking money or goods out of eBay - they may be using personal information to target other sites.
An eBay spokesman said: “We discovered unauthorised access to our corporate network earlier in May and immediately began a forensic investigation which discovered this issue leading to Wednesday’s announcement.
“eBay is a global marketplace and this thorough investigation worked as quickly as possible.”
The company owns and runs the internet payment system PayPal, but claimed that this was not involved in the raid, saying: “PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.”
The firm has 128 million active users and accounted for £126-billion worth of commerce in 2013. Shares in the web giant, which has more than 14 million active users in the UK, fell by 3.2 percent in early trading yesterday amid fears that the company will lose the trust of their customers, leading to a downturn in trade and profits.
A spokesman added: “Working with law enforcement and security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.
“Information security and customer data protection are of paramount importance to eBay, and eBay regrets any inconvenience or concern that this password reset may cause our customers.”
“Our customers are our highest priority; and to ensure they continue to have a safe, secure and trusted experience on eBay, we will be asking all users to change their passwords.
“There is no evidence that any financial information was accessed or compromised; but we are taking every precaution.”
But Graham Cluley, independent security expert, said: “Obviously they’ve got hold of names, addresses and dates of birth. All of this can be used to commit identity fraud.
“If they have your password, and you have the same password for other websites, hackers could access your email, your Amazon account and who knows what else.”
And internet security expert Paul Martini said: “eBay users must act and follow the advice to change their passwords. But the damage could have already been done, as the time lag is months between the cyber breach and the discovery of the breach.
“It could well have been viewed as the golden goose of hacking targets. Its popularity means that it holds personal details, making its a potential gold mine.”
He added: “Cyberhackers may not hit the obvious target of siphoning money or goods out of eBay; they may take the personal information gained from the database and target other popular sites.”
The internet is still recovering from the Heartbleed bug, a flaw in the OpenSSL encryption on computers that protects user information when someone is online.
The flaw had been present for two years undetected, and offered hackers a way into personal accounts across the web. UK parenting website Mumsnet was the first to admit they had been a victim of the bug. Fixes, or “patches”, have since been applied across the web as sites recover from the breach in security. - Daily Mail