Online auction house Ebay has confirmed that hackers raided its network three months ago, and nicked more than 145 million user records.
The attack is the second largest in US history, although Ebay said that it is not clear if the crooks could actually use the data they nicked
EBay spokeswoman Amanda Miller told Reuters late on Wednesday that those passwords were encrypted and that the company had no reason to believe the hackers had broken the code that scrambled them. However it did advise customers to change their passwords immediately.
Miller said that there was no evidence of impact on any eBay customers and it would be hard to decrypt the passwords.
The records contained passwords as well as email addresses, birth dates, mailing addresses and other personal information, but not financial data such as credit card numbers.
The company has hired FireEye Mandiant forensics division to help investigate the matter. EBay earlier said a large number of accounts may have been compromised, but declined to say how many.
Security experts advised EBay customers to be on the alert for fraud, especially if they used the same passwords for other accounts.
However Michael Coates, director of product security with Shape Security, told Reuters that there was a significant risk that the hackers would unscramble the passwords because typically companies only ask users to change passwords if they believe there is a reasonable chance attackers may be able to do so.
However, eBay has said it had not seen any indication of increased fraudulent activity on its flagship site and that there was no evidence its PayPal online payment service had been breached.
The hackers got in by using the login credentials for “a small number” of employees, allowing them to access eBay’s corporate network.
Computer security experts say the biggest such breach was uncovered at software maker Adobe Systems in October 2013, when hackers accessed about 152 million user accounts.