eBay Struggles To Reset 145 Million Passwords As Details Pop Up 'For Sale' On Anonymous Sites

145 Million 'eBay Details' For Sale On Anonymous Site

Ebay is reportedly 'struggling to cope' as millions of users attempt to simultaneously change their passwords in the wake of a massive security breach.

The online auction site said earlier this week that millions of users' data was stolen in unencrypted form by hackers.

The data included passwords, alongside dates of birth, addresses and other identifying data.

Adding to the anger felt by its users, eBay said the breach actually took place in February or March, meaning it may be too late to stop the information spreading.

Regardless, eBay suggested that all of its users change their passwords - and since there are 145 million of them that's apparently proving difficult. Some users were reportedly left facing error messages and "page not available" notices as they tried to change their details on the site on Thursday and Friday.

eBay said "high traffic volume" was to blame, and said that no activity would be possible on the accounts until the password was reset.

Other users have reported that having requested new passwords via email or text, they are simply not receiving them -- meaning they cannot access their accounts.

Meanwhile security experts said that offers had been posted on anonymous messaging sites offering 145 million customer accounts for sale.

Trey Ford, global security strategist at Rapid7, said:

"There has now been a posting on pastebin claiming to offer “145 312 663 unique records” relating to the eBay breach. It’s not yet been verified that these are legitimately eBay credentials, and it’s possible that a criminal has just spotted an opportunity to cash in on the attack with some other credentials dump they have…"

"This doesn’t necessarily mean these credentials are from the eBay attack," he added, however, saying that they might have come from another site altogether and that the evidence suggests it could take a long time to crack the passwords.

"eBay still has the ability to invalidate compromised passwords. There is a level of friction (or frustration) to impose by doing this, but a very worthwhile tradeoff in elevating the safety of their customers."


What's Hot