Our company recently discovered a cyberattack that comprised a small number of employee log in credentials, allowing unauthorized access to eBay’s corporate network. As a result, a database containing encrypted password and other non-financial data was compromised. There is no evidence of the compromise affecting accounts for Paypal users, and no evidence of any unauthorized access to personal, financial or credit card information, which is stored separately in encrypted formats. The company is asking all eBay users to change their passwords.
What customer information was accessed?
The attack resulted in unauthorized access to a database of eBay users that included:
Date of birth
Was my financial information accessed?
The file did not contain financial information, and after conducting extensive testing and analysis of our systems, we have no evidence that any customer financial or credit card information was involved. Likewise, the file did not contain social security, taxpayer identification or national identification information.
Has the issue been resolved?
We believe we have shut down unauthorized access to our site and have put additional measures in place to enhance our security. We have seen no spike in fraudulent activity on the site.
How did this happen?
Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network. We are working with law enforcement and leading security experts to aggressively investigate the matter. At this point, we are not disclosing further information.
When did this happen?
Based on forensic research with internal and external security experts, the attack occurred between late February and early March.
Do you know who is responsible?
We are fully cooperating with law enforcement and security experts who are investigating this situation. We will not speculate on who is responsible at this time.
When did eBay discover this issue?
The company discovered that unauthorized access to our corporate network had occurred earlier in May. We immediately began working with security experts and law enforcement to aggressively investigate the matter.
Why did eBay wait so long to disclose this data compromise?
eBay has a responsibility to fully understand the facts which required a full investigation. As soon as we knew what had happened and determined the best course of action, we acted immediately to disclose. We have seen no spike in fraudulent activity on the site.
How many accounts were accessed?
All eBay users are being asked to change their password. All eBay users will be notified. At the end of Q1, we had 145 million active buyers.
What steps are you taking to ensure customer data is safe moving forward?
We are asking all eBay customers to change their password the next time they log into their eBay account. We are making this decision out of an abundance of caution.
Below are additional steps we are taking:
As always, we have strong protections in place for both buyers and sellers in the event of any unauthorized activity on your account.
We are applying additional security to protect our customers.
We are working with law enforcement and leading security experts to aggressively investigate the matter.
How are you notifying eBay customers of this incident?
We are in the process of notifying all eBay users and asking them to change their password through email, site and other marketing communications channels.
Were other platforms impacted?
eBay has no evidence of unauthorized access or compromises to personal or financial information for users of PayPal. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted. Likewise, we have no evidence of any unauthorized access to other sites operated by eBay Marketplaces, such as StubHub, eBay Classifieds, Tradera, GMarket, Auction, GumTree or GittiGidiyor.
I use the same password for multiple accounts. Do I now need to change all of them?
If you used the same password for eBay and any other site, we encourage our customers to change their passwords for those sites too. As a matter of good practice, the same password should never be used across multiple sites or accounts.
If I’ve only visited eBay as a guest user, how does this impact me?
If you have only visited eBay as a guest user, we do not have a password on file. However, we encourage you to remain vigilant. Following a cyberattack of this nature it is common that fraudsters will try to exploit well-known brand names like eBay in an effort to obtain personal information. They attempt this fraudulent activity through phishing emails, texts, phone calls and fake websites.
Does this issue affect me as a PayPal user?
If you are a PayPal user, we have no evidence that this compromise affected your PayPal account or any PayPal financial information, which is encrypted and stored on a separate secure network.
Do I need to change my PayPal password?
If you used the same password for both eBay and PayPal, we encourage you to change your PayPal password, too, as well as any other sites on which you used the same password. As a matter of good practice, the same password should never be used across multiple sites or accounts.
If my information has been compromised, what are the risks to me?
We have no evidence that any customer financial or credit information was involved, and have seen no spike in fraudulent activity on the site. Likewise, the file did not contain social security, taxpayer identification or national identification information.
The information that has been accessed is often publically available. Thus, the primary risk is increased exposure to consumer scams.
Following a cyberattack of this nature, it is common that fraudsters will try to exploit well-known brand names like eBay in an effort to obtain personal information. They attempt this fraudulent activity through phishing emails, texts, phone calls and fake websites.
For helpful tips on how to avoid scams, please visit our security center.