SAN FRANCISCO — In the latest high-profile breach of a company’s computer network, hackers have infiltrated the online marketplace eBay, gaining access to the personal data of 145 million customers, the company said Wednesday.
The hackers broke into an eBay database containing names, e-mail addresses, birth dates, encrypted passwords, physical addresses, and phone numbers.
There was no indication that the attackers obtained financial information such as credit and debit card numbers or gained access to customer accounts at PayPal, which is owned by eBay, said Amanda Miller, a company spokeswoman. The company has not seen evidence of fraudulent activity that could be linked to the breach, she said.
Still, hackers could use the stolen data for identity theft. Personal information — such as e-mails, passwords, and birth dates — is regularly sold on the black market to criminals who use it for phishing or identity theft.
Security experts warned that the stolen information would make eBay customers easy targets for phishing attacks, in which criminals send e-mails that bait victims into clicking on malicious links or direct them to fake login screens where they are asked to enter more valuable information, such as a Social Security number.
“Expect an uptick in phishing. Do not click links in e-mail or discuss anything over the phone,” warned Trey Ford, a strategist at Rapid7, a security firm in Boston.
EBay discovered the breach earlier this month when the company’s internal security team noticed that some of its employees were engaged in unusual activity on its corporate network, said Mark Carges, the company’s chief technology officer. He said eBay uses several different security technologies, which alerted staff to suspicious activity.
EBay contacted the FBI’s San Francisco office as well as an outside computer forensics firm. Working together, they found that hackers had been inside eBay’s corporate network since late February.
By studying computer logs, eBay discovered that hackers had stolen the credentials of several of its employees and, with their user names and passwords, gained unauthorized access to eBay’s corporate network. Once inside, they were able to copy a database containing information on all 145 million of the company’s customers, according to Alan Marks, eBay’s senior vice president of global communications.
Marks said eBay stored its financial data separately. Still, the company advised users with the same password for eBay and PayPal to change passwords immediately on both.
Though notification laws differ, most states require that companies notify customers of a breach only if their names are compromised in combination with other information such as a credit card or a Social Security number. But there are exceptions for encrypted information: As long as companies scramble consumer information with basic encryption, the law does not require firms to tell customers about a breach.
In eBay’s case, the company stored users’ names, e-mail, and physical addresses and birth dates in plain text but encrypted their passwords.