Amazon, eBay, and USPS have received media attention for security issues this month during prime holiday-shopping season. With the reports we’re seeing about online and mobile shopping, it doesn’t appear that people are spooked in general, though it’s difficult to say with any precision what kind of impact these stories have on shopping behavior.
Amazon inadvertently disclosed customer email addresses and names due to a technical error that has since been fixed, according to the company. (Oddly, in its letter to those impacted, it said “our website” disclosed the information.)
At least one reader told us how frustrating it was that Amazon wouldn’t provide them with details, and on Thursday, a site called TomsGuide.com reported that Amazon gave some customers gift cards to pacify them.
A security expert discovered a vulnerability in eBay’s Japanese marketplace, you can read about it on SlashCrypto.org (“HOW I DUMPED EBAY JAPAN’S WEBSITE SOURCE CODE.”) The researcher got added to eBay’s so called hall of fame (“public acknowledgement when reporting a potential security vulnerability”).
Ironically eBay CEO Devin Wenig was in Japan this week, telling Kyodo News he wants eBay to become one of the top Japanese ecommerce sites.
Security expert Brian Krebs has been critical of US Postal Service security especially around its Informed Delivery service for consumers. This month, he wrote about a vulnerability impacting an API tied to its Informed Visibility service for businesses.
“U.S. Postal Service just fixed a security weakness that allowed anyone who has an account at usps.com to view account details for some 60 million other users, and in some cases to modify account details on their behalf,” he wrote. You can find the story on KrebsOnSecurity.com.
Merchants, Be Vigilant
There was also a report that ElasticSearch, a search solution used by some online retailers, experienced a breach. ZDnet‘s headline: “ElasticSearch server exposed the personal data of over 57 million US citizens: Leaky database taken offline, but not after leaking user details for nearly two weeks.” It’s hard to know what merchants can do to prevent such incidents caused by third-party services that help power their websites.
ZDnet has a rather depressing slideshow of the biggest “hacks, leaks, and data breaches” in 2018 by month on this page. Remember to remain on your guard as a buyer and as a seller, even if you get an email with your name and other identifying information. And that applies to phone calls, as well – fraudsters can even spoof caller id.