
After EcommerceBytes alerted eBay and Google to a privacy breach yesterday, the real names of eBay customers that had been displaying in the Product Reviews section of Google Shopping were replaced with dashes overnight.
In fact, Google has masked data in that field for all product reviews - not just for eBay-provided reviews, but for those provided by retailers like Target and product-review sites like ProductReview.com.au as well.
eBay did not respond when we reached out yesterday afternoon to ask if it was aware it was providing Google with product reviews that included customers' real names instead of user names. Nor has it responded as of this morning.
Google, however, was immediately responsive, and asked us for more information. A spokesperson followed up last evening, asking, "Are you able to send other info about this issue? I'd like to send it to the shopping team so they have more info. They have your article but asked for addl detail."
By this morning, Google Shopping no longer displayed customer names or user names in product reviews.
Google aggregates product reviews from many sources - retailers, marketplaces, and product review services. In most cases when leaving product reviews, consumers prefer using handles or first name and the initial of their last name rather than their full, real names. And it's easy to see why many people would not want to publicly reveal information about the items they have purchased.
But security is another issue in addition to privacy concerns. eBay users should now be even more careful about emails that look like they come from the company. The information about eBay customers published on Google Shopping can be used by fraudsters to trick eBay users into providing passwords and confidential financial information in what's called "phishing" or "spoof emails" scams.
eBay
advises users about how to recognize spoof emails: "Our emails usually greet you by the first and last name you registered on your eBay account, and your eBay username." This is information that fraudsters could have easily obtained through the eBay Product Review breach we uncovered.
Not only could fraudsters have harvested eBay customers' real names and matched them to their eBay user names (as we did yesterday), they also had information about what the buyer had purchased, making it even easier to trick people. In some cases, we were able to identify not only the real name and eBay user name of the customer along with an item they had purchased, but the city and state where they lived.
If you received an email that looked like it came from eBay that included your real first and last name *and* information about a product (or products ) you had purchased on the marketplace, would you assume it was legitimate?