SAN FRANCISCO -- In the latest high-profile breach of a company's computer network, hackers have infiltrated the online marketplace eBay, gaining access to the personal data of 145 million customers, the company said Wednesday.
The hackers broke into an eBay database containing names, email addresses, birth dates, encrypted passwords, physical addresses and phone numbers.
There was no indication that the attackers obtained financial information, such as credit and debit card numbers, or gained access to customer accounts at PayPal, which is owned by eBay, company spokeswoman Amanda Miller said. She said the company has seen no evidence of fraudulent activity that could be linked to the breach.
Still, hackers could use the stolen data for identity theft. Personal information -- such as emails, passwords and birth dates -- is regularly sold on the black market to criminals who use it for phishing or identity theft. Security experts warned that the stolen information would make eBay customers easy targets for phishing attacks, in which criminals send emails that bait victims into clicking on malicious links or direct them to fake log-in screens, where they are asked to enter more valuable information such as a password or a Social Security number.
EBay discovered the breach earlier this month, when the company's internal security team noticed that some employees were engaged in unusual activity on its corporate network, said Mark Carges, the company's chief technology officer. He said eBay uses several different security technologies, which alerted staff to suspicious activity.
EBay contacted the FBI's San Francisco office as well as an outside computer forensics firm. Working together, they found that hackers had been inside eBay's corporate network since late February. By studying computer logs, eBay discovered that hackers had stolen credentials of several employees and, with their user names and passwords, gained unauthorized access to eBay's corporate network. Once inside, they copied a database containing information on all 145 million customers, said Alan Marks, eBay senior vice president of global communications.
Mr. Marks said eBay stored its financial data separately. Still, the company advised users with the same password for eBay and PayPal to change their passwords immediately.
Though notification laws differ, most states require that companies notify customers of a breach only if their names are compromised in combination with other information such as a credit card or a Social Security number. But there are exceptions for encrypted information: As long as companies scramble consumer information with basic encryption, the law does not require companies to tell customers about a breach.
In eBay's case, the company stored users' names, email and physical addresses and birth dates in plain text but encrypted their passwords. Most states would not have required eBay to disclose the breach. But one state, North Dakota, requires companies to disclose a breach in cases where a customer's name is compromised in conjunction with a birth date.
Mr. Carges, the eBay tech officer, said his company camouflaged customers' passwords with encryption, using a process known as hashing, in which passwords are mashed up with a mathematical algorithm and stored only in encoded or "hashed" form. Security experts warn that hashed passwords can be easily cracked using extensive online databases of common passwords and their precalculated hash values.
To make cracking more difficult, Mr. Carges said, eBay also appended several random digits to customer passwords -- a process called salting -- before encrypting the passwords. Salting makes cracking more difficult, although not impossible.
Mr. Marks said the company on Wednesday would begin prompting users to change their passwords and alerting customers about the breach via email and other marketing channels.
Peter Lee, spokesman for the FBI's San Francisco field office, said the FBI was working closely with eBay to investigate the breach. Mr. Marks said eBay was investigating digital evidence such as the IP addresses of the hackers. Mr. Lee said he believed that arrests would be made soon.
The eBay breach is one of several recent hacking episodes at prominent companies. One that struck Target in December has already cost the retailer $87 million in breach-related expenses, according to securities filings.