eBay Inc said on Wednesday that a cyber attack carried out three months ago has compromised customer data, and the company urged 145 million users of its online commerce platform to change their passwords.
The company said unknown hackers stole email addresses, encrypted passwords, birth dates, mailing addresses and other information in an attack carried out between late February and early March. The files did not contain financial information.
An eBay spokeswoman said a large number of accounts may have been compromised, but declined to say how many. eBay said it found no evidence of unauthorized access to financial or credit card information at its PayPal payments subsidiary, which encrypts and stores its data separately.
eBay shares were down 0.2 percent late Wednesday afternoon, compared with a 0.9 percent rise in the Nasdaq Composite Index.
The e-commerce company's stock has steadily fallen since late March as part of a broader slide in technology shares. Last month, eBay reached an accord with activist investor Carl Icahn, who had been calling for the company to spin out PayPal, which is growing quickly.
Security experts advised eBay customers to be on the alert for fraud, especially if they used the same passwords for other accounts.
"This is not a breach that only hurts eBay. This is a breach that hurts all websites," said Michael Coates, director of product security with Shape Security.
He said that companies typically only ask users to change passwords if they believes there is a reasonable chance attackers may unscramble encrypted passwords.
Once the passwords are unscrambled, attackers could use automated software that seeks to log into thousands of popular services, including Facebook, Twitter, popular email services and online banking sites, he said.
eBay spokeswoman Amanda Miller said the company was making the request "out of an abundance of caution" and that it used "sophisticated," proprietary hashing and salting technology to protect the passwords.
Amit Yoran, senior vice president of EMC Corp's RSA security division, said that cyber criminals sometimes take data from multiple breaches, combining them into detailed portfolios that fraudsters can use for scams.
"We are seeing a level of sophistication in the cybercrime world where they are able to pull data from multiple exploits to create stronger profiles of individuals," Yoran said. "The more detailed information fraudsters have, the better their ability to successfully perpetrate fraud."
NO SIGNS OF FRAUD
eBay said its investigation of the breach is ongoing, with assistance from law enforcement.
"For the time being, we