E-commerce company eBay Inc said hackers stole email addresses, birthdays and other identity information between late February and early March in a data breach that may have affected a “large number” of accounts.
In the latest major cyber attack at a U.S. company, eBay said it had found no evidence of unauthorized access to financial or credit card information, which is stored separately in encrypted formats.
But the company urged all of its users, including the 145 million customers who bought or sold something on eBay in the last 12 months, to change their passwords.
EBay’s shares fell as much as 3.2 percent on Wednesday after the company disclosed the attack on a database that also contains encrypted passwords, addresses and phone numbers.
“For the time being, we cannot comment on the specific number of accounts impacted,” eBay spokeswoman Kari Ramirez said. “However, we believe there may be a large number of accounts involved.”
EBay said it had 145 million active buyers as of March 31. It also has an undisclosed number of inactive users.
The company said it had not seen any indication of increased fraudulent account activity on eBay and that there was no evidence its online payment service, PayPal, had been affected.
EBay said it was investigating the breach, first detected about two weeks ago, and working with law enforcement agencies.
“I don’t think there was a lapse,” JMP Securities analyst Ronald Josey said. “I think Ebay’s encryption is amongst the best considering that consumer financial data was not impacted,”
According to the company, hackers compromised the log-in credentials of a small number of eBay employees, allowing them access to its network.
“The real key question going forward will be if any money has been stolen, or any unauthorized activity been performed,” Wedbush Securities analyst Gil Luria said. “As long as this is not the case, this thing will come and go and will not be an issue for eBay.”
EBay’s shares fell as low as $50.30 in early trading on the Nasdaq before recovering to $51.64 by midday.
The company had earlier issued a notice on its PayPal website asking users to change their passwords without explanation, but removed the message a short time later.
EBay has been attacked before. In February, hacking group Syrian Electronic Army breached and defaced websites belonging to PayPal UK and eBay. (http://r.reuters.com/xag59v)
One of the biggest breaches at a U.S. company was at retailer Target Corp, where hackers last year stole some 40 million card numbers and another 70 million customer records.
Last month, U.S. web media company AOL Inc urged its tens of millions of email account holders to change their passwords and security questions after a cyber attack compromised about 2 percent of its accounts.
(Additional reporting by Jim Finkle in Boston and Saqib Iqbal Ahmed in Bangalore; Editing by Rodney Joyce, Savio D’Souza and Robin Paxton)