eBay confirmed that its classified site Gumtree, popular in several countries outside the US, was hacked last weekend. Abby Smith, eBay Senior Director of Corporate Communications, provided the following statement to EcommerceBytes:
"Some Gumtree Australia customer information was compromised in a security attack on our site last weekend. The attackers accessed the email addresses of some Gumtree users.
"The contact name and phone numbers of the affected Gumtree users were also accessed; however in those instances, the details were already made public on the site by the users themselves when they posted an ad.
"Account passwords were not accessed. Payment details were not compromised; we don't store any payment information on our site.
"The incident was resolved within minutes of discovery and was an isolated event, only impacting some Gumtree Australia accounts.
"We've since taken extra steps to protect user information. The affected users, privacy regulators and the Australian Federal Police have been notified. Safety and security of our community remains our number one priority and we continue to educate our users about staying safe online and identifying potential scams or phishing attempts from fraudulent parties."
While Gumtree told users that account passwords had not accessed, the incident provides yet another reason not to use the same password across multiple websites.
Unfortunately some users remain in the dark about the incident thanks to over-aggressive Google Gmail filters. After reading on social networking sites about the emails Gumtree sent alerting customers, some said they hadn't received any communication from the classified site. One went looking and tweeted
, "found it in my spam (gmail).
Gumtree users posted the text of the emails they received on Friday on Facebook and Twitter, some wondering if it was a scam:
"We are writing to let you know that some of your Gumtree account information was compromised in a security attack last weekend. The attackers accessed your email address. Contact names and phone numbers, which are made publicly available on the site if provided, were also accessed.
"Your Gumtree account password was not accessed. Payment details were also not compromised; we don't store any payment information on our site.
"We resolved the isolated attack within minutes of discovering it and since then we've taken extra steps to protect your information.
"We encourage you to follow the tips below to help protect yourself from scam and phishing attempts: ..."
Gumtree Australia responded to a user on Facebook
with the following reply:
Thanks very much for your message. On 29 April, we did send an email to some of our users to let them know that their Gumtree account information was accessed by attackers.
If you received this email on a different day or the email you got on 29 April includes links asking you to change your password or give us information, it might be a spoof and you should forward it to firstname.lastname@example.org.
The attackers accessed some users' email address as well as their contact name and phone number (if they were included by a user when they posted an ad). Account passwords were not accessed. Payment details were also not compromised.
The safety and security of our community is our number one priority. Unfortunately, in this case, an unknown vulnerability was exploited by attackers. The vulnerability was resolved within minutes of discovery and we've since taken extra steps to protect customer information.
Should you have any further questions or concerns, kindly contact us directly.
Thanks very much.
The representative wisely warned the user to be wary of spoof emails from other fraudsters who might try to take advantage of the incident to commit a phishing campaign. As he advised, don't click on links in an email in order to sign in (that advice applies to any site).
eBay acquired Gumtree in 2005, which now has a presence in the U.K., Australia, South Africa, Singapore, Ireland, and Poland.
Gumtree UK acknowledged the hack, which took place on Gumtree Australia, via Twitter
: "We're hearing your concerns & would like to reassure our users that Gumtree UK has not been breached & all of our user's details are secure."
eBay experienced its own security breach
in 2014 when a cyberattack compromised a database containing encrypted passwords and other non-financial data. In that incident, eBay required all users to change their passwords.