eBay credentials breach
Attackers used a small number of compromised employee credentials to access eBay's corporate network and exfiltrate a database covering all 145 million users — names, encrypted passwords, email and postal addresses, phone numbers, and dates of birth.
- Victim
- eBay
- records
- 145.0M
- users
- 145.0M
On 21 May 2014, the online marketplace eBay disclosed that attackers had breached its corporate network using a small number of compromised employee credentials and accessed a database containing personal records for its entire user base of roughly 145 million people. At the time it was among the largest data breaches ever recorded.
What happened
The intruders did not break through eBay's perimeter with an exploit. Instead, they obtained the login credentials of a small number of eBay employees — most reporting attributes this to social engineering — and used that legitimate access to move laterally across the corporate network. Once inside, they reached a database holding personal information for every eBay account.
The compromise is believed to have occurred between late February and early March 2014. eBay's security team did not detect the intrusion until early May 2014, roughly two weeks before going public, giving the attackers an extended dwell time inside the network.
What was exposed
The compromised database contained:
- Customer names and account usernames
- Encrypted (hashed) passwords
- Email addresses
- Physical mailing addresses
- Phone numbers
- Dates of birth
Crucially, eBay stated that financial data was not exposed: credit card numbers and other payment details were stored separately, and PayPal — then an eBay subsidiary — kept its financial data on a separate, encrypted network that showed no evidence of unauthorised access.
Impact
eBay required all 145 million active users to reset their passwords. Although the passwords were encrypted, security researchers warned that the combination of names, email addresses, home addresses, phone numbers and dates of birth created a rich foundation for phishing, account-takeover and identity-theft campaigns. eBay drew criticism for the gap between detection and disclosure, and for an initial password-reset rollout that some users found confusing.
Why it matters
The eBay breach is a textbook case of identity-based intrusion: the attackers needed no malware or zero-day, only a handful of valid employee credentials and the ability to move laterally toward sensitive data. It reinforced the industry shift toward multi-factor authentication for employee accounts, network segmentation, and least-privilege access to limit the blast radius when a single account is compromised. It also became an early cautionary tale on breach-disclosure timing, as scrutiny intensified over how long companies take to detect and report intrusions affecting hundreds of millions of consumers.
Timeline
Attackers compromise a small number of eBay employee login credentials, gaining access to the corporate network between late February and early March 2014.
Intruders pivot to a database holding personal records for eBay's entire user base.
eBay's security team detects the compromised employee credentials roughly two weeks before public disclosure.
eBay publicly discloses the breach and asks all 145 million active users to reset their passwords.
Press reports characterise the incident as one of the largest breaches in history; regulators in several U.S. states and the U.K. open inquiries.
Sources
- bankinfosecurity.comhttps://www.bankinfosecurity.com/ebay-a-6858
- cnbc.comhttps://www.cnbc.com/2014/05/22/hackers-raid-ebay-in-historic-breach-access-145-mln-records.html
- huntress.comhttps://www.huntress.com/threat-library/data-breach/ebay-data-breach
- reuters.comhttps://www.reuters.com/article/technology/ebay-asks-145-million-users-to-change-passwords-after-cyber-attack-idUSKBN0E20OK/