BOSTON - EBay Inc said that hackers raided its network three months ago, stealing some 145 million user records from a database in what is poised to go down as one of the biggest data breaches in history based on the number of accounts compromised.
It advised customers to change their passwords immediately, saying they were among the pieces of data stolen by cyber criminals who carried out the attack between late February and early March.
EBay spokeswoman Amanda Miller told Reuters those passwords were encrypted and that the company had no reason to believe the hackers had broken the code that scrambled them.
"There is no evidence of impact on any eBay customers," Miller said. "We don't know that they decrypted the passwords because it would not be easy to do."
She said the hackers copied a massive user database that contained those passwords, as well as email addresses, birth dates, mailing addresses and other personal information, but not financial data such as credit card numbers.
The company had earlier said a large number of accounts may have been compromised, but declined to say how many.
Security experts advised EBay customers to be on the alert for fraud, especially if they used the same passwords for other accounts.
"This is not a breach that only hurts EBay. This is a breach that hurts all websites," said Michael Coates, director of product security with Shape Security.
He said there is a significant risk that the hackers have or will unscramble those passwords. Companies typically only ask users to change passwords if they believes there is a reasonable chance attackers may unscramble encrypted passwords, he added.
Once the passwords are unscrambled, attackers could use automated software that seeks to log into thousands of popular services, including Facebook, Twitter, popular email services and online banking sites, he said.
EBay said it had not seen any indication of increased fraudulent activity on its flagship site and that there was no evidence its PayPal online payment service had been breached.
EBay said the hackers got in after obtaining login credentials for "a small number" of employees, allowing them to access eBay's corporate network.
It discovered the breach in early May and immediately brought in security experts and law enforcement to investigate, Miller said.
"We worked aggressively and as quickly as possible to insure accurate and thorough disclosure of the nature and extent of the compromise," Miller said when asked why the company had not immediately notified users.
The breach could go down as the second-biggest in history at a US company, based on the number records stolen.
Computer security experts say the biggest such breach was uncovered at software maker Adobe Systems Inc in October 2013, when hackers accessed about 152 million user accounts.
It would be larger than the one that Target Corp disclosed in December of last year, which included some 40 million payment card numbers and another 70 million customer records.