eBay hacked – should I change my password?

Passwords, email addresses and physical addresses of millions of eBay users have been stolen by hackers. We explain what you need to do and questions eBay has to answer following this catastrophic security breach.

While eBay has confirmed no financial information has been compromised, the attack is still very bad news for your online security. Here’s what you need to do right now:

Do I need to change my eBay passwords?

Yes. If you’ve got an eBay account and you haven’t changed your password, do so right now. It isn’t clear if the database stolen by hackers contained the details of all 233 million eBay users, but the company has said that all users should change their passwords immediately. Click here to go to eBay’s password page. PayPal accounts have not been compromised, eBay has said.

View latest ebay discount codes

Do I need to change my other passwords?

Again, yes. If you use your eBay password on Facebook, Twitter, Gmail or any other online account change all those passwords right now. Hackers often try and match passwords across the web, so it is very foolish to use the same password on more than one site. Now is the time to start taking passwords more seriously. The superb LastPass keeps all your passwords safe, secure and locked away. Download it now.

What information was stolen?

As well as your eBay password, hackers have also made away with your email address, postal address, phone number and date of birth. That personal information is valuable and can be used to carry out identity theft and other scams. Oddly, eBay hasn’t said how much data was stolen, so it is best to assume that data on all users has been nabbed.

Are hackers going to attack me?

Even if you’ve changed your eBay password and all other matching passwords you’re still likely to be targeted by hackers. Emails asking you to reset passwords, click on links and fill in personal information should all be approached with caution. If in doubt never click on any links in emails asking you to provide personal information.

Were the passwords encrypted?

Yes, but it isn’t clear how. The statement released by eBay was vague and didn’t provide any details of how passwords were encrypted. It isn’t yet clear if the hackers have been able to decrypt the stolen passwords.

What encryption and other security does eBay use?

Security experts have questioned why eBay wasn’t hashing and salting passwords. Hashing is a so-called ‘one way’ form of encryption – once a password has been encrypted it is impossible to decrypt. This way of protecting passwords works well as it matches the hash when you enter a password to login with the hash stored on the server. If both match, you can login. There are a lot of questions eBay still has to answer about how it did (or didn’t) protect customer information.

How did hackers gain access to the database?

According to eBay a “small number of employee log-in credentials” were compromised, which allowed hackers to access the company’s corporate network. It isn’t clear if eBay used two-factor authentication to protect its database of user passwords and other personal information. As to how hackers found and targeted specific eBay employees, a simple search on LinkedIn reveals a huge roster of people working for the company.

Why did it take eBay so long to notice the attack?

In its statement eBay said the attack happened between late February and early March. The company also revealed that it only noticed the attack two weeks ago. It isn’t clear why it took eBay so long to spot suspicious activity on its corporate network, nor why it waited a further two weeks before alerting users. This isn’t good enough and eBay needs to explain itself.

Have my personal details and password been stolen before?

Quite possibly. In the last couple of years there have been a series of major data breaches, although the eBay hack is likely to top them all. In October 2013 Adobe confirmed 153 million accounts had been breached. The useful Have I Been Pwned? website has a huge database of breaches from 22 sites. To find out if your details have been compromised simply type in your email address or username. The website doesn’t include information from eBay’s stolen database as this has not been publicly released by the hackers, as has often been the case in the past.