SAN
FRANCISCO — In the latest prominent breach of a company’s computer
network, hackers have infiltrated the online marketplace eBay, gaining
access to the personal data of 145 million customers, the company said
on Wednesday.
The
hackers broke into an eBay database containing names, email addresses,
birth dates, encrypted passwords, physical addresses and phone numbers.
There
was no indication that the attackers obtained financial information
such as credit and debit card numbers or gained access to customer
accounts at PayPal, which is owned by eBay, said Amanda Miller, a
company spokeswoman. The company has not seen evidence of fraudulent
activity that could be linked to the breach, she said.
Still,
hackers could use the stolen data for identity theft. Personal
information — such as email addresses, passwords and birth dates — is
regularly sold to criminals who use it for phishing or identity theft.
Security
experts warned that the stolen information would make eBay customers
easy targets for phishing attacks, in which criminals send emails that
bait victims into clicking on malicious links or direct them to fake
log-in screens where they are asked to enter more valuable information
like a password or a Social Security number.
“Expect
an uptick in phishing. Do not click links in email or discuss anything
over the phone,” warned Trey Ford, a strategist at Rapid7, a security
firm in Boston.
EBay
discovered the breach this month when the company’s internal security
team noticed that some of its employees were engaged in unusual activity
on its corporate network, said Mark Carges, the company’s chief
technology officer.
EBay
contacted the Federal Bureau of Investigation’s San Francisco office as
well as an outside computer forensics firm. Working together, they
found that hackers had been inside eBay’s corporate network since late
February.
By
studying computer logs, eBay discovered that hackers had stolen the
credentials of several of its employees and gained unauthorized access
to eBay’s corporate network. Once inside, they were able to copy a
database containing information on all 145 million of the company’s
customers, according to Alan Marks, eBay’s senior vice president of
global communications.
Mr.
Marks said eBay stored its financial data separately. Still, the
company advised users with the same password for eBay and PayPal to
change their passwords immediately.
Though
notification laws differ, most states require that companies notify
customers of a breach only if their names are compromised in combination
with other information like a credit card or a Social Security number. But there are exceptions for encrypted information.
In
eBay’s case, the company stored users’ names, email and physical
addresses and birth dates in plain text but encrypted their passwords.
Most states would not have required eBay to disclose the breach. But one
state, North Dakota, requires companies to disclose a breach in cases
where a customer’s name is compromised in conjunction with a birth date.
Mr.
Carges said eBay camouflaged customers’ passwords with encryption,
using a process known as hashing, in which passwords are mashed up with a
mathematical algorithm and stored only in encoded or “hashed” form.
To
make cracking more difficult, Mr. Carges said, eBay also appended
several random digits to customer passwords — a process known as salting
— before encrypting the passwords. Salting makes cracking them more
difficult, although not impossible.
Mr.
Marks said that on Wednesday the company would begin prompting users to
change their passwords and alerting customers to the breach.
Peter
D. Lee, a spokesman for the F.B.I.’s San Francisco field office, said
the F.B.I. was working closely with eBay to investigate the breach and
that he believed that arrests would be made soon.
The
breach at eBay is one of several recent hacking episodes at prominent
companies. One that struck Target in December has cost the retailer $87
million in breach-related expenses, according to securities filings.
Correction: May 21, 2014
Because of erroneous information provided by a spokeswoman for
the company, a previous version of this article misstated when eBay
learned of an attack on its computers. EBay became aware of the breach
in early May, and it was discovered that it had first occurred in late
February; eBay did not discover the breach in February.
No comments:
Post a Comment