Auction site eBay has urged users to change their passwords after suffering what may have been the biggest-ever cyber-attack when hackers broke into a database holding its 233m customers’ personal data. EBay said the breach, which was detected two weeks ago, had not given the hackers access to customers’ financial information. But it did affect a database holding encrypted passwords as well as customer names, email addresses, physical addresses, phone numbers and dates of birth which were not encrypted.

The site has 233 million customers worldwide, including more than 14 million active in Britain.
In a statement, the auction site said that a database was compromised between late February and early March. PayPal, the payment arm of eBay, released a statement saying it was not affected and that financial information had not been compromised. Exposure of personal information such as postal addresses and dates of birth puts users at risk of identity theft, where the data is used to claim ownership of both online and real world identities. Users are also at risk of phishing attacks from malicious third-parties, which use the private details to trick people into handing over bank account, credit card or other sensitive information.

The break-in was not caused by the “Heartbleed” flaw in internet servers that received publicity this year. Instead, the hackers “compromised a small number of employee log-in credentials, allowing unauthorised access to eBay’s corporate network”, the company said.

“The scope for damage is absolutely huge and could be the biggest hack of all time, given the number of users eBay has,” said Rik Ferguson, global vice president of security research at security software firm Trend Micro.

Ebay has been described as the “golden goose” by some security researchers because of its large user base, but other internet companies yet to suffer large hacks of this nature are also considered prime targets. Ebay said it is investigating the compromise working with law enforcement and security experts. The company said that there had been “no evidence of the compromise resulting in unauthorised activity for eBay users, and no evidence of any unauthorised access to financial or credit card information”.

Users will be prompted by email as well as on-site to change their passwords as a precaution, despite the stolen passwords being encrypted and showing no evidence of being compromised. Shoppers who use the same password on other sites are encouraged to change those passwords too.