Latest eBay Data Breach Shows Deeper Security Concerns Than Reported

Two NYU professors have uncovered a flaw in the company's system that makes private data public.

Jul 22, 2014 at 10:17AM

eBay (NASDAQ:EBAY) has a second security problem on its hands.

In May the company's systems were compromised by hackers exposing some information of nearly 150 million eBay users. The company asked all its customers to reset their passwords, but stressed that no financial data -- such as credit card numbers -- had been breached.

Now buyers and sellers using the online marketplace may be revealing far more than they intend to. Researchers at the New York University Polytechnic School of Engineering and NYU Shanghai have discovered a privacy flaw that allows site visitors to view a buyer's complete purchase history. That's a severe privacy breach, potentially revealing very personal information.

The paper was written by Keith W. Ross, dean of engineering and computer science at NYU Shanghai, and Leonard J. Shustek, professor of computer science and engineering at the NYU school of engineering, along with doctoral candidate Tehila Minkus. Minkus and Ross began examining the issue when Minkus, an eBay user, was browsing the feedback section of a would-be purchaser's eBay profile following a botched transaction. Minkus noticed that with very little effort she was able to obtain a list of all prior purchases. Further probing revealed that this was not an anomaly -- it was a problem that could be exploited across all accounts.

"This breach can be exploited on a scale ranging from a snooping spouse or an employer investigating an individual's buying habits to a large-scale, automated attack that could quickly link millions of people with their purchases," Ross said. "This is exactly the kind of information that could be very valuable to marketers, cybercriminals, or even law enforcement officials."

This is clearly an unintentional loophole. eBay would not want to make data public that could embarrass users and send them shopping elsewhere. Having a security breach that lets anyone see what a user buys -- be it bobbleheads or hemorrhoid cream -- could cause customers to flee for more secure stores. 

Did the first breach hurt eBay? 

eBay CFO Bob Swan said on a conference call Wednesday that the initial data breach slowed user activity and revenue in the company's online marketplace. Still, revenue for the quarter in the eBay.com marketplace segment of the business climbed 9% to $2.7 billion.

The marketplace results were also hurt by changes Google (NASDAQ:GOOG) made to its search engine algorithm, which caused some eBay pages to show up less prominently in search results, The New York Times reported.

"While we are confident we will work through the global password reset and SEO changes, it will take longer and cost more," Swan said during the call. 

There did not appear to be any fallout from the scandal with eBay's other major brand as PayPal -- the company's online payment business -- delivered $1.9 billion in revenue, a 20% increase from the year-ago quarter.

Why is this new security issue a problem?

Researchers were not only able to see what people are buying, in some cases they were able to learn the real names behind eBay usernames. Among a database of nearly 131,000 eBay usernames, they were able to link 17% to Facebook profiles, revealing the users' real names.

"While compiling data on purchasers of pregnancy or at-home HIV tests is useful to a fairly limited group -- perhaps advertisers or pharmaceutical companies -- assembling a database of those who have purchased gun accessories may have considerably more impact," said Minkus.

She explained that while eBay does not sell firearms, the marketplace sells a wide array of gun-related accessories. For this study, the researchers searched for those who had purchased gun holsters, presumably an indication of gun ownership. They recovered sales records for more than 292,827 gun holsters purchased by 228,332 individuals. Of those, 35,262 were linked to full names as they appear on Facebook.

"This privacy loophole can provide leads for law enforcement or private investigators looking for unregistered gun owners, but it can also give private information to background-check providers or data aggregators who want to include gun ownership in their records," Minkus said.

Speaking in very general terms, gun owners tend to like their privacy. It could be very bad for eBay if they realize their purchases can be tracked. Customers buying incontinence products, those purchasing remedies for various embarrassing intimate medical issues, and perhaps those spending money on marital aids would also fall into the groups not eager to have their identities public.

The creators of the study shared their findings with eBay, which has not publicly commented. The company has not responded to a request from the Fool to its general public relations email account.  

eBay has to close this loophole

In addition to sharing their results with eBay, Minkus and Ross offered suggestions to patch the privacy flaw (which I am not detailing here because they include ways to exploit the current security problem). They also recommended that eBay generate random pseudonyms for buyers listed on a seller's feedback pages rather than using a persistent pseudonym.

For eBay users, they recommend maintaining two separate accounts -- a private profile for buying and a public account for selling.

This issue may not be as big as compromised credit card data, but it is a violation of privacy that could cause people making certain types of transactions to leave eBay. Though the company may not be sharing this data intentionally, that does not change that it is out there for anyone to exploit. eBay must act quickly to protect its customers.

Warren Buffett: This new technology is a 'real threat'

At the recent Berkshire Hathaway annual meeting, Warren Buffett admitted this emerging technology is threatening his biggest cash-cow. While Buffett shakes in his billionaire-boots, only a few investors are embracing this new market which experts say will be worth over $2 trillion. Find out how you can cash in on this technology before the crowd catches on, by jumping onto one company that could get you the biggest piece of the action. Click here to access a FREE investor alert on the company we're calling the "brains behind" the technology.

Daniel Kline has no position in any stocks mentioned. The Motley Fool recommends eBay and Google (C shares). The Motley Fool owns shares of eBay and Google (C shares). Try any of our Foolish newsletter services free for 30 days. We Fools may not all hold the same opinions, but we all believe that considering a diverse range of insights makes us better investors. The Motley Fool has a disclosure policy.

Money to your ears - A great FREE investing resource for you

The best way to get your regular dose of market and money insights is our suite of free podcasts ... what we like to think of as “binge-worthy finance.”

Feb 1, 2016 at 5:03PM

Whether we're in the midst of earnings season or riding out the market's lulls, you want to know the best strategies for your money.

And you'll want to go beyond the hype of screaming TV personalities, fear-mongering ads, and "analysis" from people who might have your email address ... but no track record of success.

In short, you want a voice of reason you can count on.

A 2015 Business Insider article titled, "11 websites to bookmark if you want to get rich," rated The Motley Fool as the #1 place online to get smarter about investing.

And one of the easiest, most enjoyable, most valuable ways to get your regular dose of market and money insights is our suite of free podcasts ... what we like to think of as "binge-worthy finance."

Whether you make it part of your daily commute or you save up and listen to a handful of episodes for your 50-mile bike rides or long soaks in a bubble bath (or both!), the podcasts make sense of your money.

And unlike so many who want to make the subjects of personal finance and investing complicated and scary, our podcasts are clear, insightful, and (yes, it's true) fun.

Our free suite of podcasts

Motley Fool Money features a team of our analysts discussing the week's top business and investing stories, interviews, and an inside look at the stocks on our radar. The show is also heard weekly on dozens of radio stations across the country.

The hosts of Motley Fool Answers challenge the conventional wisdom on life's biggest financial issues to reveal what you really need to know to make smart money moves.

David Gardner, co-founder of The Motley Fool, is among the most respected and trusted sources on investing. And he's the host of Rule Breaker Investing, in which he shares his insights into today's most innovative and disruptive companies ... and how to profit from them.

Market Foolery is our daily look at stocks in the news, as well as the top business and investing stories.

And Industry Focus offers a deeper dive into a specific industry and the stories making headlines. Healthcare, technology, energy, consumer goods, and other industries take turns in the spotlight.

They're all informative, entertaining, and eminently listenable. Rule Breaker Investing and Answers are timeless, so it's worth going back to and listening from the very start; the other three are focused more on today's events, so listen to the most recent first.

All are available for free at www.fool.com/podcasts.

If you're looking for a friendly voice ... with great advice on how to make the most of your money ... from a business with a lengthy track record of success ... in clear, compelling language ... I encourage you to give a listen to our free podcasts.

Head to www.fool.com/podcasts, give them a spin, and you can subscribe there (at iTunes, Stitcher, or our other partners) if you want to receive them regularly.

It's money to your ears.

 


Compare Brokers