Online marketplace eBay claimed on Wednesday that a cyberattack carried out three months ago has compromised customer data, and the company urged 145 million users of its online commerce platform to change their passwords.
“[We] will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data,” the eBay message reads.
The breach, which is one of the biggest data breaches in history, based on the number of accounts compromised, happened between late February and early March.
Hackers managed t obtain users’ personal information, such as email, home addresses, passwords, phone numbers and birth dates, by using the accounts of company employees. The files, however, did not contain financial information.
“For the time being, we cannot comment on the specific number of accounts impacted. However, we believe there may be a large number of accounts involved and we are asking all eBay users to change their passwords,” said eBay spokeswoman Kari Ramirez.
Nevertheless, eBay reassured users that they were not able to detect any “unauthorized activity for eBay users” or “unauthorized access to financial or credit card information”. PayPal information was also unaffected.
A spokesman added that the firm’s engineers were in the process of rolling out a feature that would oblige members to choose new passwords when they next logged in, which should be live in each of the countries eBay operated in by the end of the day.
“The same password should never be used across multiple sites or accounts,” said eBay Inc.
Ebay has been described as the “golden goose” by some security researchers because of its large user base, but other internet companies yet to suffer large hacks of this nature are also considered prime targets. The California-based company has 128 million active users and accounted for $212bn (£126bn) worth of commerce on its various marketplaces and other services in 2013.
Amit Yoran, senior vice president of EMC Corp’s RSA security division, said that cyber criminals sometimes take data from multiple breaches, combining them into detailed portfolios that fraudsters can use for scams.
“We are seeing a level of sophistication in the cybercrime world where they are able to pull data from multiple exploits to create stronger profiles of individuals,” Yoran said. “The more detailed information fraudsters have, the better their ability to successfully perpetrate fraud.”
One of the biggest breaches at a U.S. company was at retailer Target Corp, where hackers last year stole some 40 million credit card numbers and another 70 million customer records.
Last month, U.S. web media company AOL Inc urged its tens of millions of email account holders to change their passwords and security questions, saying a cyber attack compromised about 2 percent of its accounts, reports Reuters.
The internet is still recovering from the Heartbleed bug, a flaw in the OpenSSL encryption on computers that protects user information when someone is online. The flaw had been present for two years undetected, and offered hackers a way into personal accounts across the web.