By Jim Finkle

BOSTON (Reuters) - EBay Inc said that hackers raided its network three months ago, stealing some 145 million user records from a database in what is poised to go down as one of the biggest data breaches in history based on the number of accounts compromised.

It advised customers to change their passwords immediately, saying they were among the pieces of data stolen by cyber criminals who carried out the attack between late February and early March.

EBay spokeswoman Amanda Miller told Reuters late on Wednesday that those passwords were encrypted and that the company had no reason to believe the hackers had broken the code that scrambled them.

"There is no evidence of impact on any eBay customers," Miller said. "We don't know that they decrypted the passwords because it would not be easy to do."

She said the hackers copied a massive user database that contained those passwords, as well as email addresses, birth dates, mailing addresses and other personal information, but not financial data such as credit card numbers.

Miller also said the company has hired FireEye Inc's Mandiant forensics division to help investigate the matter. Mandiant is known for publishing a February 2013 report that described what it said was a Shanghai-based hacking group linked to the Peoples Liberation Army.

EBay earlier said a large number of accounts may have been compromised, but declined to say how many.

Security experts advised EBay customers to be on the alert for fraud, especially if they used the same passwords for other accounts.

"People need to stop reusing passwords and should change their affected passwords immediately across all the sites where they are used," said Trey Ford, global security strategist with cybersecurity firm Rapid7.

Michael Coates, director of product security with Shape Security, said there is a significant risk that the hackers would unscramble the passwords because typically companies only ask users to change passwords if they believe there is a reasonable chance attackers may be able to do so.

Still, EBay said it had not seen any indication of increased fraudulent activity on its flagship site and that there was no evidence its PayPal online payment service had been breached.

EBay said the hackers got in after obtaining login credentials for "a small number" of employees, allowing them to access eBay's corporate network.

It discovered the breach in early May and immediately brought in security experts and law enforcement to investigate, Miller said.

"We worked aggressively and as quickly as possible to insure accurate and thorough disclosure of the nature and extent of the compromise," Miller said when asked why the company had not immediately notified users.

The breach could go down as the second-biggest in history at a U.S. company, based on the number records stolen.

Computer security experts say the biggest such breach was uncovered at software maker Adobe Systems Inc in October 2013, when hackers accessed about 152 million user accounts.

It would be larger than the one that Target Corp disclosed in December of last year, which included some 40 million payment card numbers and another 70 million customer records.

(Additional Reporting by Joseph Menn; Editing by Christopher Cushing)

"There is no evidence of impact on any eBay customers," Miller said. "We don't know that they decrypted the passwords because it would not be easy to do."

TOP OF THE NEWS
--eBay Criticized for Handling of Breach
(May 21 & 22, 2014)
eBay has met with widespread criticism for the way it handled a breach
that exposed user data. On May 21, eBay acknowledged that a database
containing user passwords and personally identifiable information was
compromised. The intrusion occurred in February or March of this year.
eBay became aware of the breach earlier this month. The company was
taken to task for delaying notification for so long and for the
labyrinthine process users had to navigate to change their passwords.
Furthermore, the volume of users trying to change their passwords was
at one point overwhelming eBay's system. People want to know why they
did not detect the intrusion for three months, but eBay and the FBI have
not been forthcoming with details about the breach.
http://www.nbcnews.com/tech/security/si ... ls-n112186
http://www.v3.co.uk/v3-uk/news/2346280/ ... ant-breach

http://arstechnica.com/security/2014/05 ... base-hack/

http://www.nextgov.com/cybersecurity/20 ... ng-HPriver
[Editor's Note (Pescatore): I'm all for the market excoriating companies
slow to detect compromises. However, I didn't find the process of
changing my eBay password "labyrinthine" - if it was any easier to do,
attackers would be changing all our passwords on a regular basis.
(Murray): This compromise dwarfs any to date. By failing to use strong
authentication and by leaving a path between the public network and
these sensitive databases and records eBay has exposed hundreds of
thousands of users to application fraud, not to say "identity theft."
Users should not be misled by the warning to change their passwords; the
real risk here is the disclosure of names and dates of birth for which
there is no remedy offered or available. I did not change my eBay
password, I closed my account and sold my stock.]

IMPORTANT: PASSWORD UPDATE

Dear eBay Member,

To help ensure customers' trust and security on eBay, I am asking all eBay users to change their passwords.

Here's why: Recently, our company discovered a cyberattack on our corporate information network. This attack compromised a database containing eBay user passwords.

What's important for you to know: We have no evidence that your financial information was accessed or compromised. And your password was encrypted.

What I ask of you:
Go to eBay and change your password. Changing your password may be inconvenient. I realize that. We are doing everything we can to protect your data and changing your password is an extra precautionary step, in addition to the other security measures we have in place.

If you have only visited eBay as a guest user, we do not have a password on file.

If you used the same eBay password on any other site, I encourage you to change your password on those sites too. And if you are a PayPal user, we have no evidence that this attack affected your PayPal account or any PayPal financial information, which is encrypted and stored on a separate secure network.

Here are other steps we are taking:

As always, we have strong protections in place for both buyers and sellers in the event of any unauthorized activity on your account.
We are applying additional security to protect our customers.
We are working with law enforcement and leading security experts to aggressively investigate the matter.


Here's what we know: This attack occurred between late February and early March and resulted in unauthorized access to a database of eBay users that includes customers' name, encrypted password, email address, physical address, phone number and date of birth.

However, the file did not contain financial information. And, after conducting extensive testing and analysis of our systems, we have no evidence that any customer financial or credit card information was involved. We also have no indication of a significant spike in fraudulent activity on our site.

We apologize for any inconvenience or concern that this situation may cause you. As a global marketplace, nothing is more important to eBay than the security and trust of our customers. We know our customers have high expectations of us, and we are committed to ensuring a safe and secure online experience for you on any connected device.

TOP OF THE NEWS
--eBay Facing Investigations Over Breach
(May 23, 2014)
Attorneys general in three US states are launching a joint investigation
into the eBay breach. The UK's Information Commissioner is considering
a formal probe of the incident that compromised personal information of
145 million account holders.
http://www.cnet.com/news/ebay-to-face-f ... ta-breach/
http://www.scmagazine.com/states-probe- ... le/348422/
http://www.bbc.com/news/technology-27539799
http://www.theregister.co.uk/2014/05/23 ... tigations/
[Editor's Note (Pesactore): The CEO "walk of shame" on national TV is
common after big oil spills, business failures, auto safety fiascoes,
etc. It is good to see it becoming common for big breaches, too - even
though eBay has had a pretty good track record overall. Security folks
need to be prepared to tell their CEO, "Here's why it won't happen to
you up there" or "Here's what I've been saying we have to do, or else
it *will* be you."
(Murray): This is far and away the most damaging breach in the history
of the Internet. eBay has been successful in keeping the public focused
on passwords, the one piece of data that was encrypted. While eBay is
a victim and I generally oppose "piling on" victims, this case is an
exception to my rule. eBay is not simply a "bricks and mortar" merchant
with a web site. It is one of the two big Internet merchants that owe
their business model to the Internet. An investigation is likely to
show that their security did not include strong authentication for
privileged users, effective encryption for sensitive customer data, and
isolation of that data from the public networks. They must be held to
a higher standard than that.]

As we announced last week, because of the cyberattack on our corporate information network discovered earlier this month, we are now prompting all eBay users to change their passwords when they log in or before they complete a transaction.

We have no evidence that financial information was accessed or compromised, or that this attack affected PayPal accounts or any PayPal financial information, which is encrypted and stored on a separate secure network.

However, this attack compromised a database containing encrypted eBay user passwords. As always, we have strong protections in place for both buyers and sellers in the event of any unauthorized activity and we are applying additional security to protect our customers. As a precautionary step, we are also asking all users to change their passwords.

If you haven't yet changed your password, please do so now so that you can continue listing and doing business on eBay. Go to My eBay>Personal/Business Information>Account Information>Password>Edit. If you have more than one eBay account, you will need to change the password for each of them. If you changed your password on May 21 or later, we do not need you to take any additional action at this time.

If you used the same password for eBay and any other site, we encourage you to change your password on those sites, too. As a matter of best practice, the same password should never be used across multiple sites or accounts.

Additional protections for sellers with auction-style listings

We recognize that the password reset may temporarily interrupt the normal bidding process for buyers. We're taking additional steps to ensure successful transactions for sellers:

All listing and final value fees will be refunded automatically for auction-style listings that ended between 6:00 AM PDT on Wednesday, May 21, 2014, and 11:59 PM PDT on Wednesday, May 21, 2014. Sellers will see these credits on their June invoice.
Sellers can end any auction-style listings without penalty between 6:00 AM PDT on Wednesday, May 21, 2014, and 11:59 PM PDT on Saturday, May 31, 2014 and will receive a credit for all listing fees related to these listings on their June invoice.
Sellers can also cancel any transactions from auction-style listings that ended in a sale between 6:00 AM PDT on Wednesday, May 21, 2014, and 11:59 PM PDT on Saturday, May 31, provided the buyer paid with PayPal and we can verify through PayPal that the buyer's full payment has been refunded.

Final value and listing fees will be credited on sellers' June invoice and any associated defects or negative buyer feedback removed. These protections will be applied automatically. The transaction must be cancelled within the above timeframe to qualify for the credit and defect/feedback removal.

We will also be communicating with the winning bidder for any cancelled auction-style transaction during this time period to ensure they continue to have great buyer experiences on eBay.

We apologize for any inconvenience or concern this situation may cause. Nothing is more important to us than the security and trust of every customer in our global marketplace. We know you have high expectations of us, and we are committed to ensuring a safe and secure online experience for you on any connected device. More information and updates are available at info.ebayinc.com.

Thank you for selling on eBay.
Sincerely,

Michael Jones
Vice President Merchant Development