This is quite poor, imho. The fact that they either didn't inform their users, or worse still, didn't know of the breach.

It seems the authorities are to investigate.

The UK's information commissioner is working with European data authorities with a view to taking action against eBay over its recent data breach.

Three US states are also investigating the theft of names, email addresses and other personal data, which affected up to 145 million eBay customers.eBay faces investigations over massive data breach [bbc.co.uk]

It sounds worse than it was, I went in to change my password and found the account disabled until I did reset it. The information that was exposed was not sufficient to allow unauthorized reset. The accounts were not left exposed to abuse. No one is very happy about their having shared other personal info, but not any more info than people commonly expose in their own activities online. The personal details people publicly share on Facebook (for example) scare me speechless.

Certain snippets of information can be used to build up a picture of individuals. It's the start of identity theft.

If passwords and usernames were stolen, it would mean users are at risk had they used such sign-ins elsewhere. If, as was suggested, birth date info, e-mail addresses, etc., were compromised, the risk is far greater.

The average user cannnot easily change their e-mail, so they should change their password if e-mail address and password were used anywhere else.