BOSTON (Reuters) - EBay Inc’s description of how hackers got access to its entire database of 145 million user records leaves many questions unanswered as to how cyber criminals orchestrated what appears to be the second-biggest data breach in U.S. history.
The company has said hackers attacked between late February and early March with login credentials obtained from “a small number” of employees. They then accessed a database containing all user records and copied “a large part” of those credentials.
The breach was discovered in early May and disclosed on Wednesday.
Security experts and Wall Street analysts want to know how they got those credentials and if the employees whose information they used were entitled to unfettered access to its user database, which contains some of its most sensitive information.
“They’ve been pretty tightlipped. They’ve barely provided any information. They should be more forthcoming about what happened,” said David Kennedy, chief executive of TrustedSEC LLC, an expert in investigating data breaches.
In particular, Kennedy wants to know why it took eBay three months to detect the intrusion.
An FBI spokesman told Reuters the bureau is working with EBay to investigate the breach, but declined to elaborate. EBay said it had hired FireEye Inc’s Mandiant forensics division to help with its review. A FireEye spokesman declined to comment.
Dan Kaminsky, a well-known Internet security expert who is chief scientist at online fraud detection firm White Ops, said it is not clear that eBay was remiss in securing its database because hackers have the tools to get into nearly any network.
“Five hundred of the Fortune 500 are under constant attack. Everybody is getting hit,” he said.
Still, he said he would like to have more information about what happened to understand how they got in and why it took three months to detect. “If we are not going to prevent these attacks, let’s at least detect them,” he said.
The company said hackers stole email addresses, encrypted passwords, birth dates, mailing addresses and other information, though no financial data, nor PayPal databases were compromised.
Computer security experts say the biggest breach was uncovered at software maker Adobe Systems Inc in October 2013, when hackers accessed about 152 million user accounts.
The EBay breach would be larger than the one Target Corp disclosed in December of last year, which included some 40 million payment card numbers and another 70 million customer records.
Additional reporting by Mark Hosenball in Washington; Editing by Dan Grebler