Auction site eBay has urged users to change their passwords immediately after revealing that a cyber attack compromised a database that could have leaked encrypted passwords and non-financial data.
EBay is the latest in a long line of companies to issue password alerts. While it said that it has no evidence that anything unlawful is happening since uncovering the breach, "changing passwords is a best practice and will help enhance security".
The firm will start alerting users to the need to change on 21 May. The firm attempted to cool concerns about data breaches.
"EBay regrets any inconvenience or concern that this password reset may cause our customers. We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace," the company said.
"Cyber attackers compromised a small number of employee log-in credentials, allowing unauthorised access to eBay's corporate network.
"Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers."
The database was compromised in late February or early March, according to eBay. No financial information was lost but encrypted passwords, email addresses, physical addresses, dates of birth and phone numbers were. The firm said that other than these no "other confidential personal information" was taken.
It added that PayPal data and information resides on a separate network, and is untouched. "PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted," eBay said.
The breach came to light a couple of weeks ago when eBay discovered compromised employee logins on its network.
Despite urging users to change their passwords, there is no notification on the front page of the website, and no email alert had been sent out at the time of publication.
Lamar Bailey, director at security firm Tripwire, said this would be the best way to protect customers, given the extent to which eBay is often linked with other financial information.
"Many people have their eBay accounts linked to PayPal, bank accounts, credit cards or Bill me Later accounts. If eBay has lost usernames and passwords in a breach the attackers can post fake items for sale on eBay and then use stolen accounts to steal money from these accounts," he said.
"EBay should be warning customers via email and on their home page, but that has not happened yet."
Troy Gill, a senior security analyst at AppRiver, added that the incident was a timely reminder of the need to use different passwords for different websites.
"For many the message to change their passwords on other sites where they are using the same password might not play out so well," he said.
"Unfortunately, many people will not heed this warning and as a result the attackers will have a potential entry point to gain access to some other personal account which is utilising the same password."
The incident is the latest in a recent spat of major cyber incidents. US retailer Target was hit last year, affecting some 70 million user accounts, while a major public utility was hit by a cyber attack recently, the US government revealed.
Australian government to require technology and communications companies to provide access to messages
New bill avoids demanding 'backdoors' in encryption, but includes measures to compel companies to provide access to encrypted communications
Indonesian overclocker Ivan Cupa (with the aid of a lot of liquid nitrogen) achieves record overclock on AMD's latest Threadripper
Ssupermassive black hole is so big it corresponds to four per cent of the galaxy's total mass
Imminent attack will target a single bank with cloned cards used to fraudulently withdraw millions over one weekend