Updated from 10:15 a.m. ET to include analyst comments and afternoon share prices
NEW YORK (TheStreet) - E-commerce giant eBay (EBAY) said on Wednesday cyberattackers hacked into a small number of employee log-in credentials, allowing unauthorized access to the company's corporate databases. As a result, the online marketplace urged customers to change their passwords and also noted it had yet to see a rise in fraudulent activity or any compromise of its mobile payments arm, PayPal.
Still, an investigation into the attack is ongoing. eBay said on Wednesday it is working with law enforcement and security experts on the matter.
eBay said databases at the company were hacked between late February and early March, and data stolen as a result of the attack included eBay customers' name, encrypted password, email address, physical address, phone number and date of birth. The hacked database, however, did not contain financial information or other confidential personal information. eBay also emphasized on Wednesday it keeps PayPal data separate from its online marketplace.
"The compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company's announcement today," eBay said.
eBay said that the investigation into the cyberattack is ongoing. "The company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers," eBay said, while noting that it is working with law enforcement and security experts on the investigation.
"Data security has been on the forefront of industry and consumer minds following the recent notable data breaches (i.e., Target, which resulted in compromised financial information)," Sanjay Sakhrani, an analyst at Keefe, Bruyette & Woods, said in a Wednesday client note.
"The cyberattack appears to have a limited scope and financial data appears to not be impacted (which likely minimizes any financial impact to EBAY); however, headlines around data breaches generally do not garner positive sentiments from both the market as well as with users," Sakhrani added.
After initially slumping over 2% at the open of trading on Wednesday, eBay shares rebounded to $51.83 in afternoon trading, recovering most of their losses.
eBay said it had seen no signs of rising fraud within its marketplace or any impact on its payments division, PayPal. Still, the company urged users to change their passwords. "[C]hanging passwords is a best practice and will help enhance security for eBay users," eBay said.
Security analysts said eBay is a leader in e-commerce security. Nevertheless, some said they expected PayPal and other parts of eBay to see an impact from the security breach.
"PayPal and eBay have the most sophisticated tools in the industry," Liron Damri, a former PayPal fraud prevention employee said in a Wednesday telephone interview. "I would find it hard to believe [the breach] didn't have an impact on PayPal," Damri added, while noting that a change of password may mitigate the impact of the breach given that money movements will require control of an eBay or PayPal account.
That customer data was stolen, however, may mean the breach will have a financial impact. Currently, Damri is the COO if Forter, an IT security solution provider.
Given eBay's initial comments, it appears the attack may have less of an impact as a hack at retail giant Target (TGT), where tens of millions of debit numbers were stolen and hackers made off with troves of customer financial data. eBay said it has yet to find instances where customer financial information was stolen.
Target Still Recovering
The cyberattack comes after a wave of attacks in the retail industry. Most notably, Target has suffered a significant financial impact from a massive attack in its retail stores during the holiday season.
That attack and a slow response by the company eventually led to the resignation of CEO Gregg Steinhafel. In the Target attack, over 40 million debit card numbers were stolen, as was the personal data of 70 million customers.
Target shares have fallen significantly since the company first disclosed the attack in the fourth quarter of 2013.
-- Written by Antoine Gara in New York.