TORONTO – EBay has asked its entire user base to change their passwords following the announcement of a cyberattack in which hackers were able to steal a large part of a database containing users’ encrypted passwords.
But the database affected in the breach also contained users’ personal information including names, email addresses, home addresses, phone numbers and dates of birth.
EBay has not yet confirmed the exact number of users affected by the breach. The company has only said hackers were able to copy “a large part” of the database.
This means some users’ information could be left floating around the web, leaving users at risk.
Already there have been reports of eBay user information popping up for sale online.
Security researcher Ashkan Soltani tweeted a link to what appeared to be a database of user information for sale Thursday – however, eBay quickly responded to his tweet saying, “published lists we have checked so far are not authentic eBay accounts.”
But this type of personal information is highly useful for spammers.
Ilia Kolochenko, CEO of information security company High-Tech Bridge, said that spammers will pay much more for information in detail so they can tailor their email advertising to target their audience.
“This information is becoming much more valuable for spammers,” Kolochenko said.
Though Kolochenko added that not all spammers will use this type of information for malicious activity, other experts say that thieves will use the opportunity to conduct phishing scams aimed at gaining more personal details.
Mark Nunnikhoven, vice president of cloud & emerging technologies at Trend Micro, said the company usually sees an increase in phishing scams after data breaches like this.
“We will see the traditional ‘click here to see if your eBay password was affected’ scam emails,” he said.
According to Nunnikhoven, Trend Micro saw an increase in phishing scams after the Heartbleed bug was revealed in April.
“There are hundreds of people who will try to take advantage of the eBay data breach by using this as an opportunity to phish for more information,” said identity theft expert Graham McWaters.
McWaters said users’ should be wary of any emails, phone calls, or letters from companies asking them to confirm personal details such as their financial or credit card information.
He added that Canadians are already at risk of falling victim to phishing scams because tax season just ended. According to McWaters, scam artists may pose as someone from the CRA to try to get people to hand over their social insurance number.
But McWaters said the risk of identity theft from the eBay data breach is relatively low, providing users’ don’t fall victim to phishing scams.
“Someone can get a lot of that stuff online if they do enough research.”