Update 12:34PM ET: A quote provided by Jumio inaccurately stated that eBay used KBA and has been removed.

eBay is facing an investigation in the U.K. and three U.S. states after sustaining a massive cyberattack.

Yesterday, eBay revealed that a database containing the sensitive, personal details of its 145 million active users was compromised two months ago. The breach, possibly the second largest in U.S. history, is now under scrutiny in Connecticut, Florida, and Illinois, BBC News reports.

A joint investigation between the three states is already underway. Meanwhile, a pending investigation led by the U.K.’s information commissioner is reportedly hitting roadblocks due to “outdated and complex data protection laws.”

Immediately following the breach, security firms jumped at the opportunity to call eBay’s security practices into question. In an email to VentureBeat, a strategist at security and threat analysis firm Rapid7 highlighted that eBay “still has the ability to invalidate compromised passwords,” despite the friction it may cause users.