EBay reveals it was hacked in February 2014, personal data compromised

"Change your passwords," urges company, three months too late

EBay has revealed that its customer database was hacked between late February and early March 2014, putting usernames, passwords and other personal, non-financial customer data at risk in the time since.

The online auction company said it became aware of the breach only around two weeks ago, but has detected "no indication of increased fraudulent account activity" on the site.

EBay has also stressed that the breached database "did not contain financial information or other confidential personal information".

The company simply urges users to change their passwords as "a best practice [that] will help enhance security for eBay users".

However, several cybersecurity firms have already spoken out against eBay's rather casual reaction to the three-month-old breach.

"Even though a portion of [the stolen data] was encrypted, it appears a good deal was not and it is this kind of personal information which is often used by criminals to launch further attacks," said Paul Ayers, VP of EMEA at enterprise data security firm Vormetric.

"That the passwords were encrypted will come as little comfort to the millions of eBay users whose other data may have been accessed."

Matt Middleton-Leal, regional director for UK and Ireland at CyberArk, said the fact that just a "small number" of compromised accounts has resulted in such "significant access" to eBay's corporate network is "extremely concerning".

"These powerful accounts hold the proverbial 'keys to the kingdom'," said Middleton-Leal.

"As evident here, they have access to vast stores of information, data and control within the organisation's digital depositories and, as a result, are the primary target for any hacker who is on the ball. Worryingly, once access has been secured, the extent of access means that maximum havoc can be wreaked."

Meanwhile, Richard Parris, CEO and founder of Intercede, believes that "passwords are dead", and companies generally need to consider new ways of protecting information.

"All businesses, including eBay, need to wake up to these risks and adopt stronger authentication for both employees and users of their services or sites," said Parris.

"The answer lies in two-factor authentication - something you have and something you know. We're already familiar with this and use it in the form of chip and PIN everyday with our bank cards.

"It's now time for businesses and society to wake up to the fact that passwords are dead and we need a more secure alternative."

EBay-owned online payment service PayPal already offers two-factor authentication as an option, but eBay is yet to catch up.