eBay Gets Hacked, Takes Its Sweet Time Letting You Know

Have you ever used eBay? Well, congratulations: your name, email address, physical address, phone number, date of birth, and encrypted passwords are now in the hands of hackers who illegally accessed the company’s servers between late February and early March. And it appears that the company really doesn’t care too much.

A press release posted to the company’s corporate eBayInc.com website Wednesday (and not the customer-facing eBay.com) revealed that the breach was first discovered about two weeks ago. Technology-focused news sites like Engadget and BGR quickly picked up on the news, but the company has thus far failed to update its primary eBay.com website with any information or contact users directly via email (although it claims it will start doing so soon).

Update: eBay is now, finally, alerting customers to the issue via a banner on eBay.com.

While further clarification is needed, it appears as of now that although no user financial information was obtained in the breach, critically important data such as a user’s name, address, phone number, and date of birth have been exposed without any form of encryption. User passwords were encrypted, but it’s possible, if not likely, that those will soon be decrypted as well.

With eBay failing to heed the lessons of countless other security breaches, the compromised login credentials of eBay employees were used to access sensitive user information that was improperly stored and protected. It’s inexcusable.

The company claims that it has no information thus far that the compromised data has resulted in unauthorized transactions at eBay, but if users maintained the same password at other websites, those accounts could already be compromised. This is particularly dangerous in this specific situation due to the inclusion of items like physical addresses, phone numbers, and birth dates. Hackers armed with that kind of information could do a lot of damage before being detected.

eBay users should immediately change their password on eBay.com and at any other website or service that uses the same or similar password. It would also be wise to carefully monitor financial records going forward, and look for any signs of unauthorized access.

With eBay now having demonstrated an appalling lack of concern for the safety of its users, the only thing that consumers can do to protect themselves is to adopt the recommended policy of utilizing separate passwords for every website or service. Apps like 1Password, LastPass, and iCloud Keychain can help you manage unique passwords without having to remember them all.

But, in the long run, there’s nothing that consumers can do if companies continue to collect and store confidential user information in an unsafe manner (and I don’t care what eBay says, the combination of name, address, birthdate, and phone number is confidential). Hackers will always find a way in; it’s up to the companies that claim to value our safety to make sure there’s nothing of value to find.