EBay customers must reset passwords after major hack

Company isn't saying how many of its 148M active accounts were affected

By Jose Pagliery, CNN; Scott Johnson, General assignment reporter, sjohnson@wjxt.com
Headline Goes Here

NEW YORK (CNNMoney) - Hackers quietly broke into eBay two months ago and stole a database full of user information, the online auction site revealed Wednesday.

Criminals now have possession of eBay customer names, account passwords, email addresses, physical addresses, phone numbers and birth dates.

The company said the passwords were encrypted, but there's no telling when or if the hackers can decrypt them. As a precaution, eBay is resetting everyone's passwords.

The company isn't saying how many of its 148 million active accounts were affected -- or even how many customers had information stored in that database. But an eBay spokeswoman said the hack impacted "a large number of accounts."

Channel 4 spoke with a Jacksonville man who was prompted by eBay to change his password on Wednesday.

"When I saw the email, because I saw the email this morning before I saw the twitter post from News4Jax and so I went in and took the required steps to actually change my password on eBay," Randy Johnson said. "So I did that very quickly this morning, but then as I'm seeing the newsfeeds come in, I see that now there's been a massive data breach, and so I realized and say to myself ‘They're not talking about the data breach in this email at all.'"

Johnson said he felt the email was trying to keep customers quiet by just simply telling them to change their passwords.

"Knowing the fact that this occurred, this compromise took place two months ago and the company found out two weeks ago and they're just now starting to tell the public that their information has been compromised," said Johnson. "I use eBay probably two or three times a year, so (I'm) not really (an) active user, but at the same time we have all our personal information on there, so where we live, our phone number, dates of birth, what we buy, so they can tell a lot of information about a person just based on that information alone."

Johnson said he feels that eBay should have been more honest about the security breach and that the company should have let all their customers know as soon as they found there was a problem.

"To read that story and realize that they had basically compromised everything of a personal nature that eBay knows about me was extremely shocking," Johnson said. "And then you compound that with the data breaches at Target and AOL recently, having our personal information online is extremely scary."

EBay's subsidiary, PayPal, said it was untouched by the data breach. PayPal data, which is sensitive because it includes payment information, is kept on a separate network.

To hack into the eBay database, the cyber attackers managed to get their hands on "a small number" of eBay employee log-in credentials, the company said. They then used that to worm their way into eBay's corporate network. The hackers grabbed the customer database between late February and early March.

It wasn't until two weeks ago that eBay discovered employee credentials had been stolen, the company said. The company then conducted a forensic investigation of its computers and found the extent of the theft.

The company said it hasn't spotted any increase in fraudulent activity on eBay yet.

This is only the latest major data breach compromising people's digital lives. In April, AOL announced hackers stole "a significant number" of its 120 million users' email addresses, passwords, contact lists and more.

Copyright 2014 by CNN and News4Jax.com. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.