|Sat Feb 17 2007 10:30:05|
Vendor Security Lapse Has eBay Sellers Fuming
By: Ina Steiner
A list of eBay sellers containing names, addresses, and user names and passwords was discovered online this week. On Tuesday, eBay users began buzzing about the list in a thread entitled, "Is eBay like the Titanic" on the eBay Trust & Safety board, with someone including a link to the list.
eBay removed the link, according to eBay spokesperson Hani Durzy. "The link was taken down for obvious reasons. The boards are not to be used to promote illegal activities," he said. But the remaining posts made it clear users remained concerned and angry.
Durzy told AuctionBytes on Friday afternoon that the data was several years old. eBay believed the data was the result of users giving out their passwords to scammers through phishing emails, and had no reason to believe the rumor that the information came from a third-party developer.
But several hours later, an eBay member sent AuctionBytes an active link to a list of customer names on Prosperpoint, a developer that provides eBay sellers with auction-management services.
When contacted by AuctionBytes, Prosperpoint founder and CEO Carson Kelly said the data came from a file that was erroneously put on the company's pages and dated back to 1999 or 2000. "We switched our technology backbone. It was a copy of a file used to move data from one to another." According to Kelly, the employee who put the data on a publicly accessible page is no longer working at Prosperpoint, but Kelly said he was sure it was a mistake and not intentional.
Kelly said the data included Prosperpoint user IDs and passwords, not eBay account information.
However, Kelly was unaware that a list - with thousands of Prosperpoint customer records - was still active on a page on his site, and removed it within moments of being told about it by AuctionBytes on Friday evening. That list contained more recent account data, Kelly said. "Our security is good. This fell through the cracks."
Kelly said credit card information on all of the lists was encrypted - meaning it was not accessible. He said he was unaware of a California law requiring companies to notify users of security breaches, but said he was in the process of notifying customers.
When asked why some users - and eBay itself - believed the user IDs and passwords belonged to eBay accounts, Kelly said some users - particularly in 1999 and 2000 - may have used the same passwords for multiple services. Kelly said he had been aware of the problem for a few days, and had not been in touch with eBay.
In 2004, eBay implemented the Authentication and Authorization program, a security measure that eliminates the need for users to give their eBay passwords to third-party vendors.
Durzy had stated that any eBay accounts on the list that might have been active were already locked down. eBay took three steps, he said. First, they locked down the accounts, and will then try to restore the accounts to the rightful owners. eBay also contacted law enforcement.
However, it's not clear if eBay was aware of the second list of more recent customer data. It was too late to get further information from eBay by press time.