EcommerceBytes-NewsFlash, Number 1630 - September 26, 2007     1 of 3

eBay Denies Security Breach after User Information Exposed

Email This Story to a Friend

eBay closed its Trust & Safety discussion board for hours on Tuesday after threads began appearing listing the names and addresses of eBay members. eBay spokesperson Nichola Sharpe said, "We think the fraudster obtained the eBay User names and IDs from previous account takeovers." The credit card information that was published alongside 1,200 names, User IDs and addresses were not associated with the financial information on file for those users at eBay or PayPal, Sharpe said.

When asked if the "malicious fraudster," as eBay called the person behind the incident, might have been Vladuz, Sharpe said, "At this stage we are not confirming the identity of the fraudster." Last December, someone calling himself Vladuz began making claims that he had hacked into eBay, a claim eBay has denied. Some eBay users remain adamant in their belief that Vladuz has successfully hacked eBay.

In February and March of 2007, Vladuz posted on eBay boards using the pink line reserved for eBay employees. At the time, eBay confirmed a fraudster had obtained access to a handful of email accounts from some customer service representatives, but said the only information he had access to was information contained in emails. eBay said it keeps email servers separate from servers hosting member data (http://www.auctionbytes.com/cab/abn/y07/m02/i23/s01).

Sharpe said Tuesday eBay was in the process of proactively contacting members by phone, "so that if the information is valid somehow - regardless how this fraudster acquired the information - these members can take the steps they need to take to protect themselves." AuctionBytes contacted several users whose information was posted on the eBay Trust & Safety board on Tuesday. Those who checked said the address information was correct, but said the credit card numbers were not theirs.

Some have criticized eBay for posting information about the incident on its blog instead of on the company's Announcement boards. Others have wondered why it took eBay over an hour to react to the posts that exposed member data, despite their efforts to inform eBay of the matter.

When some users expressed fear their names might have been included in the postings, a few users posted a list of the User IDs affected by the incident on discussion boards. Some say eBay has removed at least some of those posts, and one member said eBay removed her About Me page after she posted a list of User IDs there. Those claims fuel some members' fears that eBay may try to sweep such incidents under the rug.

AuctionBytes was first to break this story:
http://www.auctionbytes.com/cab/abn/y07/m09/i25/s00

Readers react on the AuctionBytes blog:
http://blog.auctionbytes.com


About the author:

Ina Steiner is co-founder and Editor of EcommerceBytes and has been reporting on ecommerce since 1999. She's a widely cited authority on marketplace selling and is author of "Turn eBay Data Into Dollars" (McGraw-Hill 2006). Her blog was featured in the book, "Blogging Heroes" (Wiley 2008). Follow her on Twitter at @ecommercebytes and send news tips to ina@ecommercebytes.com.


You may quote up to 50 words of any article on the condition that you attribute the article to EcommerceBytes.com and either link to the original article or to www.EcommerceBytes.com.
All other use is prohibited.