eBay attack compromised user data on massive scale

26 May 2014

Though the security breach at eBay this week compromised user details on a major scale when it was first detected, the company thought user data had not been hacked (See: eBay hack puts identities of millions of customers at risk).

Even though passwords had been compromised, eBay's response asking users to  change their passwords had come painfully slowly, users complained.

The said the company did not even feature a prominent warning on its site until the day after the breach was officially admitted. Also there was no forced reset of user passwords.

Further, even after the breach happened in February or March, eBay failed to detect anything remiss until a fortnight previous to admitting it had taken place.

Commentators have asked what eBay was doing during those two weeks.

When the company found the breach two weeks ago, it did not believe user data had been compromised by the intruders who had accessed eBay's network using employee login credentials they had managed to get hold of.

According to a Reuters report, when forensic investigators started their examination of the incident, they thought customer data was safe.

According to Devin Wenig, global marketplaces chief at eBay, who spoke to Reuters, the company did not believe that there was any eBay customer whose data had been compromised.

Although there was no evidence that eBay's internal payment subsidiary PayPal was similarly attacked, the sheer number of users affected made this even larger than the Target attack, the editorial noted.

The eBay hack comes after other cyber attacks, and given the regularity and frequency of such break ins, users were increasingly  getting immune to password change appeals say commentators.

Many internet users had only one password for all of their online accounts, which increased vulnerability to criminal activity.

According to experts, the eBay hack came as yet another reminder to use unique passwords for all online subscriptions and accounts. While extra security measures were always introduced after the attack, however, companies seemed to be helpless against  hacker ingenuity.