eBay Inc. issued a public statement today asking customers to change their web site passwords due to a breach of their customer database systems. Although they assert that the number of customer accounts compromised is small, and there is no evidence that the stolen data has been used by the hackers, all customers should take the step of changing their login credentials.
The statement said the database was compromised between late February and early March and included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. No financial information or other confidential personal information was breached. The company also stated that PayPal data is stored on a separate secured network and is encrypted.
The hackers gained access to the eBay network by obtaining the login credentials of several key employees. The compromised log-in credentials were first detected about two weeks ago.
While the statement did not elaborate on how the employee credentials were compromised, hackers are known to be increasingly using the techniques of Advanced Persistent Threat (APT) attacks to target very specific individuals in organizations. For example, instead of sending deceptive emails to a wide audience, phishing, they may attempt to identify specific individuals and use information available on public sites such as Facebook and LinkedIn to craft plausible emails that attempt to trick the recipient into clicking on a malicious link. The recipient is more likely to be fooled if the email appears to be from a school they actually attended or is about a company event that is really taking place.