AuctionBytes Blog
Covering auctions, collectibles and marketplace selling.

AuctionBytes Blog The AuctionBytes Blog has been giving a voice to online merchants since its launch in 2005. Named one of the world's top 30 blogs in 2008 by "Blogging Heroes." Weigh in with your thoughts on the joys and pitfalls of selling online.
Sat Feb 17 2007 10:30:05

Vendor Security Lapse Has eBay Sellers Fuming

By: Ina Steiner

Sponsored Link

A list of eBay sellers containing names, addresses, and user names and passwords was discovered online this week. On Tuesday, eBay users began buzzing about the list in a thread entitled, "Is eBay like the Titanic" on the eBay Trust & Safety board, with someone including a link to the list.

eBay removed the link, according to eBay spokesperson Hani Durzy. "The link was taken down for obvious reasons. The boards are not to be used to promote illegal activities," he said. But the remaining posts made it clear users remained concerned and angry.

Durzy told AuctionBytes on Friday afternoon that the data was several years old. eBay believed the data was the result of users giving out their passwords to scammers through phishing emails, and had no reason to believe the rumor that the information came from a third-party developer.

But several hours later, an eBay member sent AuctionBytes an active link to a list of customer names on Prosperpoint, a developer that provides eBay sellers with auction-management services.

When contacted by AuctionBytes, Prosperpoint founder and CEO Carson Kelly said the data came from a file that was erroneously put on the company's pages and dated back to 1999 or 2000. "We switched our technology backbone. It was a copy of a file used to move data from one to another." According to Kelly, the employee who put the data on a publicly accessible page is no longer working at Prosperpoint, but Kelly said he was sure it was a mistake and not intentional.

Kelly said the data included Prosperpoint user IDs and passwords, not eBay account information.

However, Kelly was unaware that a list - with thousands of  Prosperpoint customer records - was still active on a page on his site, and removed it within moments of being told about it by AuctionBytes on Friday evening. That list contained more recent account data, Kelly said. "Our security is good. This fell through the cracks."

Kelly said credit card information on all of the lists was encrypted - meaning it was not accessible. He said he was unaware of a California law requiring companies to notify users of security breaches, but said he was in the process of notifying customers.

When asked why some users - and eBay itself - believed the user IDs and passwords belonged to eBay accounts, Kelly said some users - particularly in 1999 and 2000 - may have used the same passwords for multiple services. Kelly said he had been aware of the problem for a few days, and had not been in touch with eBay.

In 2004, eBay implemented the Authentication and Authorization program, a security measure that eliminates the need for users to give their eBay passwords to third-party vendors.

Durzy had stated that any eBay accounts on the list that might have been active were already locked down. eBay took three steps, he said. First, they locked down the accounts, and will then try to restore the accounts to the rightful owners. eBay also contacted law enforcement.

However, it's not clear if eBay was aware of the second list of more recent customer data. It was too late to get further information from eBay by press time.




Comments (18) | Permalink

Readers Comments

Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming

by: 0ctavia

Sat Feb 17 12:24:29 2007

eBay and security don't seem to be two words which sit very well together. I had also noticed the rumblings on various discussion forums about this. You might have thought that eBay would have been straight on there to reassure their customers that everything was being done etc etc instead of simply pulling posts.
Is there any way of finding out if your particular id was on this list, I wonder?

Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming

by: DOC

Sat Feb 17 15:40:27 2007

Wonder if those accts are responsible for these ebm assaults?

http://www.ebaymotorssucks.com/fortzabanele00.htm

Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming

by: dimes

Sat Feb 17 17:55:25 2007

I hadn't seen that new report on ebaymotorssucks, but I have been following the other security breach it's been tracking -
the Romanian (?) hacker named Vladuz, who created a Firefox plugin and used it to obtain the names and user ID/passwords of actual eBay employees.  

He demonstrated his ability to do so by ''pink'' posting on the German boards under various employee IDs, and posting screenshots of fake listings he created under the employees' eBay accounts.

Pretty grim.
http://www.ebaymotorssucks.com/rflello.htm

At the rate it's going, ''eBay security'' will soon show up on George Carlin's list of oxymorons, right next to ''jumbo shrimp''.

Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming

by: Fruit Helmet Cat

Sat Feb 17 19:43:09 2007

You suck eBay, you SUCK. You can't even fix the back button, ya bumbling facists. You give those 3rd parties access to priviledged information, you're equally responsible for what they do with it. This is no different than when LIVEWORLD who handles ebays message boards had user information that was leaked out. And while I'm typing, why is it that SKYPE keeps overwriting my firewall & adds itself to my firewall exception. I haven't used your skype for at least 6 months.

Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming

by: guest

Sat Feb 17 20:05:27 2007

Speaking of Skype, I read in some security blog that skype puts an executable file in your C: root directory that directly interacts with the cornal. or something on that line. Wish i remembered where that article was.

Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming

by: FireMeg

Sat Feb 17 21:23:36 2007

This story is pretty big, but the really disturbing thing about this incident is that occurs just weeks after eBay management gave rapid-fire speeches as meetings & conferences about the state of security at eBay.  At last month's town hall, Bill Cobb all but said that scams and fraud had been purged from the site, while blaming scams & fraud rumors as a reason that eBay shoppers and sellers were leaving.  eBay management also just recently initiated two major new policies (SMI & Paypal only for new sellers) that were directly supposed to cut down on fraud and increase security.
 
Another disturbing thing is how eBay tried to bury the compromised user information when it was brought to their attention, by removing post after post on the eBay discussion boards.  I can fully understand removing the intial link to the exact page on the internet with the information, but removing posts that mentioned the incident is just absurd...especially when no policies were seemingly violated.  Some of the posts were users asking about information.  eBay must have decided that emailing those members whose account info was leaked was enough. But being that there are routinely very bad lag times in My Messages and other glitches that result in messages from eBay not arriving in either My Messages or being sent via email - you would think that eBay would make an announcement.
 
The CEO of Prosperpoint says that there were no ways near the alleged 10,000+ user ID's on the list, but at what point does a security breach warrant action via announcement by eBay?  Had eBay actually managed (as they tried) to cover up the whole situation, that would be one thing, but they failed.  Now eBay users are once again feeling as they have been lied to.  Who benefits from keeping users in the dark?  eBay Inc.  If eBay was as concerned about fraud and security as they profess to the media and to analysts, they would have come out and admitted the leaked information had occurred, placed blame on the developer in question, and talked about how much more secure the site has become since 2004 when eBay stopped allowing developers to handle passwords.
 
Fact is though, that ebay is less concerned about fraud and security than they are about pleasing those on Wall Street.  Once again sellers and buyers who are the engine of eBay Inc. have been overlooked, lied to and kept in the dark.
www.firemeg.com

Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming

by: Fruit Helmet Cat

Sun Feb 18 02:42:14 2007

Everything with ebay is bait & switch. If they announce something else you always have to dig around to figure out what they are changing. I still think that Safeguarding Members Project is nothing more than to cover up a security issue. Why would Rob Chestnut announce that by blocking the ability to see bidding history on buyers of $200 or more bids that this would prevent them from getting fraudulent second chance offers? How the H E L L would a scammer get my email address from a bid? The only way we're getting fraudulent second chance offers is direct into our email systems. Read that announcement again on how he worded it, you see for yourself. What he's saying without saying is that a scammer can get to you from your Ebay ID on what you bid on. What? Those who bid on the ebay site less than $200 are not worth protecting? You can't have it your way on both sides on this issue Greedbay.

And that stupid SKYPE is loaded on my windows task manager 18,904K mem usage. I delete it every time I boot up my computer!

Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming

by: Jim

Sun Feb 18 05:53:06 2007

...and it would seem the problem is spreading. There is currently chaos regarding a hacker on Ebay.co.uk:

http://forums.ebay.co.uk/thread.jspa?threadID=12000
89939

It
seems that many high value item listings have been hacked, and a message has been inserted into listings stating an email address to contact for buy it now price.

Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming

by: firemeg

Sun Feb 18 07:31:50 2007

Those who bid on the ebay site less than $200 are not worth protecting?
I would think the  

Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming

by: Sab3rt00th

Sun Feb 18 20:51:12 2007

They may have removed the file, but Google still cached it.
http://72.14.203.104/search?q=cache:seT2g4au45UJ:
www.prospe
rpoint.com/jeff/decrypted_ebay_creds.txt
+site:prosperpoint.com&hl=en&ct=clnk&cd=33&gl=us

You
can see that the name of the original file is decrypted ebay creds. These passwords were intentionally decrypted from a hash file, and they are obviously Ebay accounts and not Prosperpoint.

Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming

by: Jim

Mon Feb 19 04:38:04 2007

The British Press have now picked up on the hacked listings:

http://www.mirror.co.uk/news/tm_method=full%26objecti
d=18642129%26siteid=89520-name_page.html

Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming

by: guest

Mon Feb 19 08:14:47 2007

And the stinky pinkies say the press report is wrong! Go Figure..

http://forums.ebay.co.uk/thread.jspa?threadID=12000900
15&start=160

Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming

by: dimes

Mon Feb 19 13:45:18 2007

You say tomato, I say...

what eBay calls ''phishing'' is actually ''pharming'', and there is no email involved.

The identity theft occurs ON EBAY ITSELF, when already-signed-in users are asked to re-login, completely unaware they're handing their passwords over to criminals.

http://en.wikipedia.org/wiki/Pharming

Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming

by: 4year ebay seller nikki

Mon Feb 19 16:28:14 2007

Ebay is more messed up than there letting on , I had ebay remove 588 item 3 days ago for my store, I have been given no reson by email they have no phone ,Just that they will look into it , They said if Iam found not quitly then I can sell again , But my 588 items are gone . I hearing it could take 30 day .  And it will take me 30 more to relist all items :(

Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming

by: PETE

Mon Feb 19 19:14:26 2007

YEA-----MY ACCOUNT HAS BEEN HACKED ON E-BAY--THEY OWE ME MONEY FOR AN ITEM THAT I NEVER HAD LISTED, THEN CHARGED MY ACCOUNT FOR THE SALE----A SCAM FROM THE WORD GO----E-BAY SECURITY IS A FARCE
AND NOW THEY WANT ME TO JUMP THRU HOOPS TO GET MY MONEY BACK FROM E-BAY---TIME FOR SMALL CLAIMS COURT IN TEXAS

Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming

by: DOC

Mon Feb 19 21:17:17 2007

Check out this intimading email eBay sent to a German publisher and webhost. It is at the bottom of this page.
http://www.ebaymotorssucks.com/rflello.htm

Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming

by: firemeg

Tue Feb 20 08:56:38 2007

Did anyone see the Blogging Stocks article by Gary Sattler?

http://www.bloggingstocks.com/2007/02/19/headline-repo
rts-ebay-hacked/

This
article was edited from its original version.  Or it was hacked after being published and subsequently edited by Sattler.  Or it Blogging Stocks was contacte by eBay to remove the Vladuz links and portions of the blog.

Let the speculation begin.  ebaymotorsucks has the screenshot of the original.

http://www.ebaymotorssucks.com/trevtan69.htm
(scro
ll
the whole way down)

Vendor Security Lapse Has eBay Sellers Fuming   Vendor Security Lapse Has eBay Sellers Fuming

This user has validated their user name. by: Anonymous

Wed Feb 21 14:58:09 2007

So besides phoney second chance offers, the ability to change auctions that are currently running and spoofing as pinks, what else can this hack do?

My guess is that it is some kind of social engineering that is responsible, maybe pharming, maybe just chatting up the right FeeBay employee?

I so hope this finally brings FeeBay to its knees...it's about time.



Login is required to post comments.
To sign in to leave a comment using your AB Verify User Name, fill in the form below. If you have not yet signed up for AB Verify, or if you'd like more information, go to the Registration Page
.

Login for AB Verify
Be sure and use your email address and password to log in.

 
Email:
Password:
 
 Forgot Your Password?
 Even though you are signed in with the AuctionBytes Blog, you will have to sign in to the EcommerceBytes blog. But you can sign in with your existing AB Verify info.