Subscribe    RSS Feeds    Twitter            Contact Us   
728_header.jpg (23748 bytes)
 Home   EB Blog   AB Blog   Letters   Podcasts   ABTV   Forums   EPIS   PR Service   Classifieds   EKG   Ratings 
Web Site     
  Rate Services
  Amazon Fee Calculator
  eBay Fee Calculator
  Etsy Fee Calculator
  Auction Calendar
  Collectors' Links
  eBay Promo History
  Bookshelf
  Fraud Resources
  Drop-Off Store Laws
  Payment Holds
  ABTV
  Ecommerce Resources
  Photo Tips
  Marketing Inserts
  Yellow Pages
  Advertising
buyersmarket2aaa2.JPG (7729 bytes)
Julia Wilkinson AuctionBytes Blog
Covering auctions, collectibles and marketplace selling.

Julia Wilkinson is Editor of the AuctionBytes Blog and is author of the "eBay Price Guide," "eBay Top 100 Simplified Tips and Tricks," "My Life at AOL" and numerous ebooks about selling online. You can also find her writing on Yard Salers.
Sat Feb 17 2007 10:30:05

Vendor Security Lapse Has eBay Sellers Fuming

 By: Ina Steiner
Sponsored Link
A list of eBay sellers containing names, addresses, and user names and passwords was discovered online this week. On Tuesday, eBay users began buzzing about the list in a thread entitled, "Is eBay like the Titanic" on the eBay Trust & Safety board, with someone including a link to the list.

eBay removed the link, according to eBay spokesperson Hani Durzy. "The link was taken down for obvious reasons. The boards are not to be used to promote illegal activities," he said. But the remaining posts made it clear users remained concerned and angry.

Durzy told AuctionBytes on Friday afternoon that the data was several years old. eBay believed the data was the result of users giving out their passwords to scammers through phishing emails, and had no reason to believe the rumor that the information came from a third-party developer.

But several hours later, an eBay member sent AuctionBytes an active link to a list of customer names on Prosperpoint, a developer that provides eBay sellers with auction-management services.

When contacted by AuctionBytes, Prosperpoint founder and CEO Carson Kelly said the data came from a file that was erroneously put on the company's pages and dated back to 1999 or 2000. "We switched our technology backbone. It was a copy of a file used to move data from one to another." According to Kelly, the employee who put the data on a publicly accessible page is no longer working at Prosperpoint, but Kelly said he was sure it was a mistake and not intentional.

Kelly said the data included Prosperpoint user IDs and passwords, not eBay account information.

However, Kelly was unaware that a list - with thousands of  Prosperpoint customer records - was still active on a page on his site, and removed it within moments of being told about it by AuctionBytes on Friday evening. That list contained more recent account data, Kelly said. "Our security is good. This fell through the cracks."

Kelly said credit card information on all of the lists was encrypted - meaning it was not accessible. He said he was unaware of a California law requiring companies to notify users of security breaches, but said he was in the process of notifying customers.

When asked why some users - and eBay itself - believed the user IDs and passwords belonged to eBay accounts, Kelly said some users - particularly in 1999 and 2000 - may have used the same passwords for multiple services. Kelly said he had been aware of the problem for a few days, and had not been in touch with eBay.



In 2004, eBay implemented the Authentication and Authorization program, a security measure that eliminates the need for users to give their eBay passwords to third-party vendors.

Durzy had stated that any eBay accounts on the list that might have been active were already locked down. eBay took three steps, he said. First, they locked down the accounts, and will then try to restore the accounts to the rightful owners. eBay also contacted law enforcement.

However, it's not clear if eBay was aware of the second list of more recent customer data. It was too late to get further information from eBay by press time.

Reading AuctionBytes Blog: Vendor Security Lapse Has eBay Sellers Fuming
Comments (18) | Leave Comment | Permalink
Readers Comments

Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming
by: 0ctavia
       
Sat Feb 17 12:24:29 2007
eBay and security don't seem to be two words which sit very well together. I had also noticed the rumblings on various discussion forums about this. You might have thought that eBay would have been straight on there to reassure their customers that everything was being done etc etc instead of simply pulling posts.
Is there any way of finding out if your particular id was on this list, I wonder?
Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming
by: DOC
       
Sat Feb 17 15:40:27 2007
Wonder if those accts are responsible for these ebm assaults?

http://www.ebaymotorssucks.com/fortzabanele00.htm
Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming
by: dimes
       
Sat Feb 17 17:55:25 2007
I hadn't seen that new report on ebaymotorssucks, but I have been following the other security breach it's been tracking -
the Romanian (?) hacker named Vladuz, who created a Firefox plugin and used it to obtain the names and user ID/passwords of actual eBay employees.  

He demonstrated his ability to do so by ''pink'' posting on the German boards under various employee IDs, and posting screenshots of fake listings he created under the employees' eBay accounts.

Pretty grim.
http://www.ebaymotorssucks.com/rflello.htm

At the rate it's going, ''eBay security'' will soon show up on George Carlin's list of oxymorons, right next to ''jumbo shrimp''.
Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming
by: Fruit Helmet Cat
       
Sat Feb 17 19:43:09 2007
You suck eBay, you SUCK. You can't even fix the back button, ya bumbling facists. You give those 3rd parties access to priviledged information, you're equally responsible for what they do with it. This is no different than when LIVEWORLD who handles ebays message boards had user information that was leaked out. And while I'm typing, why is it that SKYPE keeps overwriting my firewall & adds itself to my firewall exception. I haven't used your skype for at least 6 months.
Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming
by: guest
       
Sat Feb 17 20:05:27 2007
Speaking of Skype, I read in some security blog that skype puts an executable file in your C: root directory that directly interacts with the cornal. or something on that line. Wish i remembered where that article was.
Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming
by: FireMeg
       
Sat Feb 17 21:23:36 2007
This story is pretty big, but the really disturbing thing about this incident is that occurs just weeks after eBay management gave rapid-fire speeches as meetings & conferences about the state of security at eBay.  At last month's town hall, Bill Cobb all but said that scams and fraud had been purged from the site, while blaming scams & fraud rumors as a reason that eBay shoppers and sellers were leaving.  eBay management also just recently initiated two major new policies (SMI & Paypal only for new sellers) that were directly supposed to cut down on fraud and increase security.
 
Another disturbing thing is how eBay tried to bury the compromised user information when it was brought to their attention, by removing post after post on the eBay discussion boards.  I can fully understand removing the intial link to the exact page on the internet with the information, but removing posts that mentioned the incident is just absurd...especially when no policies were seemingly violated.  Some of the posts were users asking about information.  eBay must have decided that emailing those members whose account info was leaked was enough. But being that there are routinely very bad lag times in My Messages and other glitches that result in messages from eBay not arriving in either My Messages or being sent via email - you would think that eBay would make an announcement.
 
The CEO of Prosperpoint says that there were no ways near the alleged 10,000+ user ID's on the list, but at what point does a security breach warrant action via announcement by eBay?  Had eBay actually managed (as they tried) to cover up the whole situation, that would be one thing, but they failed.  Now eBay users are once again feeling as they have been lied to.  Who benefits from keeping users in the dark?  eBay Inc.  If eBay was as concerned about fraud and security as they profess to the media and to analysts, they would have come out and admitted the leaked information had occurred, placed blame on the developer in question, and talked about how much more secure the site has become since 2004 when eBay stopped allowing developers to handle passwords.
 
Fact is though, that ebay is less concerned about fraud and security than they are about pleasing those on Wall Street.  Once again sellers and buyers who are the engine of eBay Inc. have been overlooked, lied to and kept in the dark.
www.firemeg.com
Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming
by: Fruit Helmet Cat
       
Sun Feb 18 02:42:14 2007
Everything with ebay is bait & switch. If they announce something else you always have to dig around to figure out what they are changing. I still think that Safeguarding Members Project is nothing more than to cover up a security issue. Why would Rob Chestnut announce that by blocking the ability to see bidding history on buyers of $200 or more bids that this would prevent them from getting fraudulent second chance offers? How the H E L L would a scammer get my email address from a bid? The only way we're getting fraudulent second chance offers is direct into our email systems. Read that announcement again on how he worded it, you see for yourself. What he's saying without saying is that a scammer can get to you from your Ebay ID on what you bid on. What? Those who bid on the ebay site less than $200 are not worth protecting? You can't have it your way on both sides on this issue Greedbay.

And that stupid SKYPE is loaded on my windows task manager 18,904K mem usage. I delete it every time I boot up my computer!
Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming
by: Jim
       
Sun Feb 18 05:53:06 2007
...and it would seem the problem is spreading. There is currently chaos regarding a hacker on Ebay.co.uk:

http://forums.ebay.co.uk/thread.jspa?threadID=12000
89939

It seems that many high value item listings have been hacked, and a message has been inserted into listings stating an email address to contact for buy it now price.
Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming
by: firemeg
       
Sun Feb 18 07:31:50 2007
Those who bid on the ebay site less than $200 are not worth protecting?
I would think the  
Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming
by: Sab3rt00th
       
Sun Feb 18 20:51:12 2007
They may have removed the file, but Google still cached it.
http://72.14.203.104/search?q=cache:seT2g4au45UJ:
www.prospe
rpoint.com/jeff/decrypted_ebay_creds.txt
+site:prosperpoint.com&hl=en&ct=clnk&cd=33&gl=us

You can see that the name of the original file is decrypted ebay creds. These passwords were intentionally decrypted from a hash file, and they are obviously Ebay accounts and not Prosperpoint.
Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming
by: Jim
       
Mon Feb 19 04:38:04 2007
The British Press have now picked up on the hacked listings:

http://www.mirror.co.uk/news/tm_method=full%26objecti
d=18642129%26siteid=89520-name_page.html
Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming
by: guest
       
Mon Feb 19 08:14:47 2007
And the stinky pinkies say the press report is wrong! Go Figure..

http://forums.ebay.co.uk/thread.jspa?threadID=12000900
15&start=160
Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming
by: dimes
       
Mon Feb 19 13:45:18 2007
You say tomato, I say...

what eBay calls ''phishing'' is actually ''pharming'', and there is no email involved.

The identity theft occurs ON EBAY ITSELF, when already-signed-in users are asked to re-login, completely unaware they're handing their passwords over to criminals.

http://en.wikipedia.org/wiki/Pharming
Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming
by: 4year ebay seller nikki
       
Mon Feb 19 16:28:14 2007
Ebay is more messed up than there letting on , I had ebay remove 588 item 3 days ago for my store, I have been given no reson by email they have no phone ,Just that they will look into it , They said if Iam found not quitly then I can sell again , But my 588 items are gone . I hearing it could take 30 day .  And it will take me 30 more to relist all items :(
Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming
by: PETE
       
Mon Feb 19 19:14:26 2007
YEA-----MY ACCOUNT HAS BEEN HACKED ON E-BAY--THEY OWE ME MONEY FOR AN ITEM THAT I NEVER HAD LISTED, THEN CHARGED MY ACCOUNT FOR THE SALE----A SCAM FROM THE WORD GO----E-BAY SECURITY IS A FARCE
AND NOW THEY WANT ME TO JUMP THRU HOOPS TO GET MY MONEY BACK FROM E-BAY---TIME FOR SMALL CLAIMS COURT IN TEXAS
Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming
by: DOC
       
Mon Feb 19 21:17:17 2007
Check out this intimading email eBay sent to a German publisher and webhost. It is at the bottom of this page.
http://www.ebaymotorssucks.com/rflello.htm
Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming
by: firemeg
       
Tue Feb 20 08:56:38 2007
Did anyone see the Blogging Stocks article by Gary Sattler?

http://www.bloggingstocks.com/2007/02/19/headline-repo
rts-ebay-hacked/

This article was edited from its original version.  Or it was hacked after being published and subsequently edited by Sattler.  Or it Blogging Stocks was contacte by eBay to remove the Vladuz links and portions of the blog.

Let the speculation begin.  ebaymotorsucks has the screenshot of the original.

http://www.ebaymotorssucks.com/trevtan69.htm
(scro
ll the whole way down)
Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming
by: Anonymous
       
Wed Feb 21 14:58:09 2007
So besides phoney second chance offers, the ability to change auctions that are currently running and spoofing as pinks, what else can this hack do?

My guess is that it is some kind of social engineering that is responsible, maybe pharming, maybe just chatting up the right FeeBay employee?

I so hope this finally brings FeeBay to its knees...it's about time.


Login is required to post comments.
To sign in to leave a comment using your AB Verify User Name, fill in the form below. If you have not yet signed up for AB Verify, or if you'd like more information, go to the Registration Page.

Login for AB Verify
Be sure and use your email address and password to log in.
 
Email:
Password:
 
 Forgot Your Password?
 Even though you are signed in with the AuctionBytes Blog, you will have to sign in to the EcommerceBytes blog. But you can sign in with your existing AB Verify info.
 AB Blog Recent Posts 
 EB Blog Recent Posts 
 AB Blog Recent Comments 


Subscribe in a reader

Archives
 
About Us      Privacy Policy & Terms      Link to Us      Partners      Our Writers      Write for Us      Press        Site Index

Copyright 1999-. Steiner Associates LLC. All rights reserved.
 




Powered by Perl Web Blog
© 2005/2013 Ranson's Scripts