In what appears to be a major breach of customer privacy, eBay is exposing customers' real first and last names, as well as the items they've purchased, publicly on Google.
While the idea that your real name is exposed in a product review you left for a benign product like clothing or books is disturbing enough, Google is also displaying eBay customer names for sensitive purchases such as medical diagnostic tests - including pregnancy, drug, and HIV home testing kits.
A reader who provided EcommerceBytes with the news tip told us, "As both an eBay seller as well as being a buyer who has left product reviews for item that I have purchased on eBay, this new revelation is very disturbing to me. Furthermore what really scared me is the fact that with very little effort on my part I was able to match the reviewers actual name with their anonymous eBay user ID, by opening both the eBay product page and the Google Shopping product page in separate windows and placing them side by side."
For every search we conducted, from cookbooks to medical test kits, all of the reviews on Google Shopping Product Pages that were provided by eBay.com displayed actual customer names and the date they left the review, while reviews from other online retailers, such as Target.com and Walmart.com displayed user IDs.
It's not likely that someone who purchased a medical diagnostic test on eBay name would be thrilled that their review might be read by family members, partners or employers. One buyer was clearly concerned about the privacy of his purchase, noting in his review of a test kit he'd purchased on eBay that he was pleased it had come in discrete packaging.
EcommerceBytes was also able to do some matching of real names and user names of product reviews on Google Shopping and on eBay; once we had the eBay user name, we could see what other reviews they left. If they also used their eBay account to sell items, we could see their location (usually city, state, and country).
It appears there is a flaw in the feed eBay provides to Google, and this not the first time that eBay has been accused of compromising users' privacy. In 2014, NYU researchers discovered that they could aggregate eBay buyers' purchases, and characterized it as a security breach
- and that was when they had only the user names, not the actual names of buyers.
As part of the 2014 study, the researchers conducted a survey to gauge buyer expectations around privacy on the marketplace, they found nearly 39% preferred to make a sensitive or private purchase on eBay, "noting that they believed the site was a more discrete vendor than a physical store."
"Additionally, 38 percent of those surveyed believed that their purchase histories were visible to no one except them," the NYU researchers wrote.
We can't overstate how troubling this breach of privacy is, and of all the developments that have caused users to be concerned about privacy over the years, this tops the list right next to eBay's massive data breach of 2014 when it forced 145 million users to change their passwords.
We reached out to eBay and Google prior to publishing, a Google spokesperson said he would look into the matter. eBay as not yet responded.
Update (Mon Dec 11 2017 10:03:27):
Google Masks Customer Names after Alerted to eBay Privacy Breach (link
Update (Mon Dec 11 2017 19:46:04):
Google Says eBay Is Working to Resolve Privacy Flaw (link