Why did eBay take THREE MONTHS to reveal cyber attack? Website blasted for ‘inexcusable’ delay after customers details were hacked as long ago

  • Attack made between February and March and affects 128 million users
  • Hackers infiltrated the corporate network after stealing employee logins
  • This gave hackers access to eBay customers’ name, encrypted password, email address, home address, phone number and date of birth
  • Firm said there is no evidence to suggest PayPal accounts were affected
  • But security experts are warning hackers could still use personal details to commit identity fraud – even after the password has been changed

Online auction site eBay has been blasted for an ‘inexcusable delay’ in taking action after it was revealed that its servers were hacked three months ago – compromising the personal details of 15 million British users.

The email, home addresses, passwords, phone numbers and birth dates of every eBay account holder – 233 million worldwide –  are now in the hands of the hackers.

The company has told users to urgently change their passwords amid the biggest criminal raid ever carried out online.


It has been revealed that hackers accessed eBay databases by using the accounts of company employees as long ago as February.

MPs have rounded on the American company for the ‘inexcusable delay’ in informing its customers.

Keith Vaz, the chairman of the Commons home affairs select committee, told the Telegraph: ‘We have urged companies to take much more seriously the threat of hacking. It is inexcusable that a company as important as eBay has failed to inform its customers immediately that this has occurred. We need a full explanation.

‘We will be writing to them to ask how this happened and whether this problem has been resolved.’

In a statement on their website, the US auction site said it was asking all its users to reset their passwords after an attack ‘compromised a database containing encrypted passwords and other non-financial data’.

Often consumers use their eBay password for a host of other websites, including their banks, so they may also need to make changes to these to protect their accounts from being hijacked.

Paul Martini, the chief executive at iboss Network Security, said that the online auction site was the ‘golden goose of hacking targets’  due to the sheer amount of information which is held.

He said that the damage could have already been done and warned that while hackers may  not be taking money or goods out of eBay – they may be using personal information to target other sites.

An eBay spokesman said: ‘We discovered unauthorised access to our corporate network earlier in May and immediately began a forensic investigation which discovered this issue leading to yesterday’s announcement.

‘eBay is a global marketplace and this thorough investigation worked as quickly as possible.’ 

The company owns and runs the internet payment system PayPal, but claimed that this was not involved in the raid, saying: ‘PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.’

The firm has 128million active users and accounted for £126billion worth of commerce in 2013. Shares in the web giant, which has more than 14million active users in the UK, fell by 3.2 per cent in early trading yesterday amid fears that the company will lose the trust of their customers, leading to a downturn in trade and profits.

A spokesman added: ‘Working with law enforcement and security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.

‘Information security and customer data protection are of paramount importance to eBay Inc, and eBay regrets any inconvenience or concern that this password reset may cause our customers.’


‘Our customers are our highest priority; and to ensure they continue to have a safe, secure and trusted experience on eBay, we will be asking all users to change their passwords.

‘There is no evidence that any financial information was accessed or compromised; but we are taking every precaution.’

But Graham Cluley, independent security expert, said: ‘Obviously they’ve got hold of names, addresses and dates of birth. All of this can be used to commit identity fraud.

‘If they have your password, and you have the same password for other websites, hackers could access your email, your Amazon account and who knows what else.’

And internet security expert Paul Martini said: ‘eBay users must act and follow the advice to change their passwords. But the damage could have already been done, as the time lag is months between the cyber breach and the discovery of the breach.

‘It could well have been viewed as the golden goose of hacking targets. Its popularity means that it holds personal details, making its a potential gold mine.’

He added: ‘Cyberhackers may not hit the obvious target of siphoning money or goods out of eBay; they may take the personal information gained from the database and target other popular sites.’

The internet is still recovering from the Heartbleed bug, a flaw in the OpenSSL encryption on computers that protects user information when someone is online.

The flaw had been present for two years undetected, and offered hackers a way into personal accounts across the web. UK parenting website Mumsnet was the first to admit they had been a victim of the bug. Fixes, or ‘patches’, have since been applied across the web as sites recover from the breach in security.


What personal details were stolen?

Hackers gained access to eBay customers’ names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth.

It is unclear whether all, or any, of the details were taken but security experts are warning people to assume the worst.

Are my credit cards details safe?

The firm said that the infiltrated part of the network did not contain any financial details, so in theory, yes. 

Will changing my password solve the problem?

Changing passwords will stop hackers from being able to use any login details that were stolen.

However, they could still use names, addresses and birth dates to commit identity fraud. 

It’s a good idea to change passwords following any attack such as this. It’s also important to update login details on any sites that use the same password.

If a hacker has your password and email address they could use it to attempt to access other sites that use the same combination.

As a rule, the same password should never be used across different sites.

Should I change my PayPal password as well?

PayPal, which owns eBay, has confirmed its accounts and customers have not been affected by this cyber attack.

However, as a matter of course, it’s good practice to change all related passwords across different sites, including PayPal.

Which countries are affected?

At the moment, we can assume that all eBay customers worldwide will be affected by this breach, until eBay says otherwise.

Is this hack a result of the Heartbleed bug?

When Heartbleed was exposed, eBay announced its customer’s account were secure and had not been affected. This suggests the latest hack is a separate attack.

How did hackers steal the information?

It is unclear how the hackers got hold of the information but eBay said it is working with forensic teams to get an answer to this question.

Why did it take so long for eBay to inform customers of the breach?

MailOnline has contacted eBay for an answer to this question. It is unclear what caused the delay.

Typically, following cyber attacks, a firm will investigate the breach to try and determine how many people are affected, and the severity of the attack, before issuing advice. 


Early reports claimed the password change on eBay could be as a result of the worldwide Heartbleed security breach last month, but PayPal said at the time its servers weren’t at risk and had not been affected

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s