The company detailed the decision in an announcement today, adding that while there was “no evidence of the compromise resulting in unauthorized activity for eBay users”, it’s “best practice” to request that all users change their passwords.
eBay confirmed that credit card information is stored separately in encrypted formats, and as such wasn’t revealed during the intrusion.
“Information security and customer data protection are of paramount importance to eBay Inc., and eBay regrets any inconvenience or concern that this password reset may cause our customers,” the company said.
As it turns out, the breach occurred between late February and early March, and left customers’ names, encrypted passwords, email addresses, their physical address, phone number and date of birth exposed.
The attackers managed to gain access to the server holding the information by compromising “a small number” of employee log-ins, which then allowed access to eBay’s corporate network.
Starting today, it’ll start telling customers to reset their passwords via email, on-site messages and other channels, but there’s really no time like the present.