Exclusive: EBay initially believed user data safe after cyberattack

BOSTON/SAN FRANCISCO Fri May 23, 2014 7:22pm EDT

An eBay logo is projected onto white boxes in this illustration picture taken in Warsaw, January 21, 2014. REUTERS white RS/Kacper Pempel

An eBay logo is projected onto white boxes in this illustration picture taken in Warsaw, January 21, 2014.

Credit: Reuters white RS/Kacper Pempel

Related Topics

BOSTON/SAN FRANCISCO (Reuters) - EBay Inc initially believed that its customers' data was safe as forensic investigators reviewed a network security breach discovered in early May and made public this week, a senior executive told Reuters on Friday.

EBay has come under fire over its handling of the cyberattack, in which hackers accessed personal data of all 145 million users, ranking it among the biggest such attacks launched on a corporation to date.

"For a very long period of time we did not believe that there was any eBay customer data compromised," global marketplaces chief Devin Wenig said, in the first comments by a top eBay executive since the e-commerce company disclosed the breach on Wednesday.

EBay moved "swiftly to disclose" the breach after it realized customer data was involved, he said.

Wenig would not say when the company first realized that the cyberattackers accessed customer data, nor how long it took to prepare Wednesday's announcement.

He said hackers got in using the credentials of three corporate employees, eventually making their way to the user database.

Hackers accessed email addresses and encrypted passwords belonging to all eBay users. "Millions" of users have since reset their passwords and the company had begun notifying users, though it would take some time to complete that task, Wenig said.

"You would imagine that anyone who has ever touched eBay is a large number," he said. "So we're going to send all of them an email, but sending that number all at once is not operationally possible."

At least three U.S. states are investigating the company's security practices. Customers have complained on social media about delayed notification emails. And New York's attorney general called on eBay to provide free credit monitoring services to users.

But the Internet retail giant has no plans to compensate customers or offer free credit monitoring for now because it had detected no financial fraud, Wenig said.

Wenig declined comment when asked if he thought eBay had good security prior to the breach. He said the company would now bolster its security systems, and has mobilized senior executives in a subsequent investigation of the attack.

"We want to make sure it doesn't happen again so we're going to continue to look our procedures, harden our operational environment and add levels of security where it's appropriate."

The breach marked the latest headache for eBay this year. In January, it crossed swords publicly with activist investor Carl Icahn, who mounted a campaign to get it to spin out PayPal. Then in April, the e-commerce company disappointed investors with a weak second-quarter outlook, pressuring its shares.

AVOIDING BACK DOORS

Buying and selling activity on eBay remained "fairly normal" though eBay is still working out the cost of the breach, which included hiring a number of security firms. Wenig, who was previously a senior executive at Thomson Reuters Corp, declined to comment on whether the cost could be material to eBay's results.

Wenig's revelation that the company initially believed that no customer data had been compromised might take some of the heat off eBay's executive team.

Cyber forensics experts said it's not uncommon for large companies to take weeks to grasp the full impact of an attack, because hackers are often able to steal data without leaving obvious clues.

"In some cases you go in and find the smoking gun immediately. Other times, it takes a few days or even a few weeks," said Kevin Johnson, a cyber-forensics expert who was not involved in the eBay investigation but has worked for other Fortune 500 companies.

Daniel Clemens, a forensics expert and CEO of Packet Ninjas, said investigators often ask companies to hold off on disclosure until they believe they understand the full extent of an attack. Otherwise, they risk tipping off attackers who might cover their tracks or leave "back doors" so they can return after the investigators complete their probe.

On Wednesday, the e-commerce company announced that hackers raided its network between late February and early March. The company said financial information was not compromised and its payments unit PayPal was not affected.

When eBay first discovered the network breach in early May, the senior team was immediately involved and held multiple daily calls on the issue. EBay staff have been working around the clock since Wednesday.

Wenig said he could not provide much more detail about what happened in the attack beyond the scant information given out so far.

He declined to provide further specifics, citing ongoing investigations by the Federal Bureau of Investigation and several forensics firms including FireEye Inc's Mandiant division.

(Editing by Edwin Chan, Lisa Shumaker and Andrew Hay)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (15)
I have been getting fake Paypal emails from criminals in the past few months. All trying to get me to log in to my account, one would assume that it was to get hold of my paypal password. And ebay owns Paypal. Coincidence? Maybe. But then, maybe not. Does make me wonder. Speaking solely for myself, I do feel that this was, and still is, being handled very poorly by ebay. If anyone thinks they’ve gotten a fake Palpal email, forward it to Paypal’s cyber crime team: spoof@paypal.com They will tell you if your email is real or fake. Better to be safe than sorry, as they say.

May 23, 2014 9:06pm EDT  --  Report as abuse
JohnnyBoy1966 wrote:
After this mess came to light I dropped my Ebay account. I am lucky, I have a dedicated debit card for Ebay purchases. Needless to say that car will be deactivated ASAP. I also had a dedicated email account just for Ebay stuff as well. Guess what, that account is gone as well.
I hate changing my phone number associated with the account, but I guess I will have to do that as well. With all that I have to do I should send Ebay a bill. LOL

May 23, 2014 10:29pm EDT  --  Report as abuse
shadyj911 wrote:
Those Chinese gold farmers seem to have inexhaustible resources.

May 23, 2014 11:45pm EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.

Retirement Road Map