BOSTON May 22 EBay Inc's description
of how hackers got access to its entire database of 145 million
user records leaves many questions unanswered as to how cyber
criminals orchestrated what appears to be the second-biggest
data breach in U.S. history.
The company has said hackers attacked between late February
and early March with login credentials obtained from "a small
number" of employees. They then accessed a database containing
all user records and copied "a large part" of those credentials.
The breach was discovered in early May and disclosed on
Security experts and Wall Street analysts want to know how
they got those credentials and if the employees whose
information they used were entitled to unfettered access to its
user database, which contains some of its most sensitive
"They've been pretty tightlipped. They've barely provided
any information. They should be more forthcoming about what
happened," said David Kennedy, chief executive of TrustedSEC
LLC, an expert in investigating data breaches.
In particular, Kennedy wants to know why it took eBay three
months to detect the intrusion.
An FBI spokesman told Reuters the bureau is working with
EBay to investigate the breach, but declined to elaborate. EBay
said it had hired FireEye Inc's Mandiant forensics division to
help with its review. A FireEye spokesman declined to comment.
Dan Kaminsky, a well-known Internet security expert who is
chief scientist at online fraud detection firm White Ops, said
it is not clear that eBay was remiss in securing its database
because hackers have the tools to get into nearly any network.
"Five hundred of the Fortune 500 are under constant attack.
Everybody is getting hit," he said.
Still, he said he would like to have more information about
what happened to understand how they got in and why it took
three months to detect. "If we are not going to prevent these
attacks, let's at least detect them," he said.
The company said hackers stole email addresses, encrypted
passwords, birth dates, mailing addresses and other information,
though no financial data, nor PayPal databases were compromised.
Computer security experts say the biggest breach was
uncovered at software maker Adobe Systems Inc in
October 2013, when hackers accessed about 152 million user
The EBay breach would be larger than the one Target Corp
disclosed in December of last year, which included some
40 million payment card numbers and another 70 million customer
(Additional reporting by Mark Hosenball in Washington; Editing
by Dan Grebler)