This week saw a huge eBay security compromise, which opened up user details on a major scale – but when the issue first came to light, the company didn't think any user data was involved.
You can't have missed the story of this breach – and the ensuing fracas in which eBay was roundly criticised for its lackadaisical response this week. With passwords involved in the compromise, eBay's push for users to change their passwords was woefully sluggish – failing to get even a prominent warning up on the site itself until the day after the breach was officially admitted (at least going by GMT; see our closer look at how badly eBay handled its database breach). And indeed there was no forced reset of user passwords.
When the story broke, it may have caught your eye that while the breach happened back in February or March, eBay didn't discover it until a fortnight previous to admitting it had taken place – so what, you might ask, was eBay doing during those two weeks?
Well, the auction site may have found the breach two weeks ago (just over that now), but when first discovered they didn't believe that any user data had been compromised by the intruders (who accessed eBay's network using employee login credentials they'd managed to get hold of).
A Reuters report notes that when forensic investigators started their examination of the incident, they thought customer data was safe. Devin Wenig, global marketplaces chief at eBay, told Reuters: "For a very long period of time we did not believe that there was any eBay customer data compromised."
And apparently it was only very recently that the involvement of customer details was discovered, as eBay says it moved "swiftly" (as you would hope) when the truth of the matter became clear. Wenig wouldn't disclose exactly when eBay found out that user data had been spilled.
Wenig also said that millions of eBay users have now reset their passwords – though there will be many millions more that need to do so (eBay has an active user base of some 145 million according to the latest figures).
As for possible compensation for this faux pas – eBay has no plans for that, Wenig said, due to the fact that no financial fraud has been spotted relating to the data leak.
What about the fact that postal addresses, phone numbers and dates of birth – and other important data which can't be changed like a password – are now out there in the wild, ready for identity thieves to potentially get their mitts on? The problem is that going forward, it will be impossible to determine exactly what financial fraud could be committed off the back of this data spillage...