Latest eBay Data Breach Shows Deeper Security Concerns Than Reported

eBay  (NASDAQ: EBAY  ) has a second security problem on its hands.

In May the company's systems were compromised by hackers exposing some information of nearly 150 million eBay users. The company asked all its customers to reset their passwords, but stressed that no financial data -- such as credit card numbers -- had been breached.

Now buyers and sellers using the online marketplace may be revealing far more than they intend to. Researchers at the New York University Polytechnic School of Engineering and NYU Shanghai have discovered a privacy flaw that allows site visitors to view a buyer's complete purchase history. That's a severe privacy breach, potentially revealing very personal information.

The paper was written by Keith W. Ross, dean of engineering and computer science at NYU Shanghai, and Leonard J. Shustek, professor of computer science and engineering at the NYU school of engineering, along with doctoral candidate Tehila Minkus. Minkus and Ross began examining the issue when Minkus, an eBay user, was browsing the feedback section of a would-be purchaser's eBay profile following a botched transaction. Minkus noticed that with very little effort she was able to obtain a list of all prior purchases. Further probing revealed that this was not an anomaly -- it was a problem that could be exploited across all accounts.

"This breach can be exploited on a scale ranging from a snooping spouse or an employer investigating an individual's buying habits to a large-scale, automated attack that could quickly link millions of people with their purchases," Ross said. "This is exactly the kind of information that could be very valuable to marketers, cybercriminals, or even law enforcement officials."

This is clearly an unintentional loophole. eBay would not want to make data public that could embarrass users and send them shopping elsewhere. Having a security breach that lets anyone see what a user buys -- be it bobbleheads or hemorrhoid cream -- could cause customers to flee for more secure stores. 

Did the first breach hurt eBay? 

eBay CFO Bob Swan said on a conference call Wednesday that the initial data breach slowed user activity and revenue in the company's online marketplace. Still, revenue for the quarter in the eBay.com marketplace segment of the business climbed 9% to $2.7 billion.

The marketplace results were also hurt by changes Google  (NASDAQ: GOOG  ) made to its search engine algorithm, which caused some eBay pages to show up less prominently in search results, The New York Times reported.

"While we are confident we will work through the global password reset and SEO changes, it will take longer and cost more," Swan said during the call. 

There did not appear to be any fallout from the scandal with eBay's other major brand as PayPal -- the company's online payment business -- delivered $1.9 billion in revenue, a 20% increase from the year-ago quarter.

Why is this new security issue a problem?

Researchers were not only able to see what people are buying, in some cases they were able to learn the real names behind eBay usernames. Among a database of nearly 131,000 eBay usernames, they were able to link 17% to Facebook profiles, revealing the users' real names.

"While compiling data on purchasers of pregnancy or at-home HIV tests is useful to a fairly limited group -- perhaps advertisers or pharmaceutical companies -- assembling a database of those who have purchased gun accessories may have considerably more impact," said Minkus.

She explained that while eBay does not sell firearms, the marketplace sells a wide array of gun-related accessories. For this study, the researchers searched for those who had purchased gun holsters, presumably an indication of gun ownership. They recovered sales records for more than 292,827 gun holsters purchased by 228,332 individuals. Of those, 35,262 were linked to full names as they appear on Facebook.

"This privacy loophole can provide leads for law enforcement or private investigators looking for unregistered gun owners, but it can also give private information to background-check providers or data aggregators who want to include gun ownership in their records," Minkus said.

Speaking in very general terms, gun owners tend to like their privacy. It could be very bad for eBay if they realize their purchases can be tracked. Customers buying incontinence products, those purchasing remedies for various embarrassing intimate medical issues, and perhaps those spending money on marital aids would also fall into the groups not eager to have their identities public.

The creators of the study shared their findings with eBay, which has not publicly commented. The company has not responded to a request from the Fool to its general public relations email account.  

eBay has to close this loophole

In addition to sharing their results with eBay, Minkus and Ross offered suggestions to patch the privacy flaw (which I am not detailing here because they include ways to exploit the current security problem). They also recommended that eBay generate random pseudonyms for buyers listed on a seller's feedback pages rather than using a persistent pseudonym.

For eBay users, they recommend maintaining two separate accounts -- a private profile for buying and a public account for selling.

This issue may not be as big as compromised credit card data, but it is a violation of privacy that could cause people making certain types of transactions to leave eBay. Though the company may not be sharing this data intentionally, that does not change that it is out there for anyone to exploit. eBay must act quickly to protect its customers.

Warren Buffett: This new technology is a 'real threat'

At the recent Berkshire Hathaway annual meeting, Warren Buffett admitted this emerging technology is threatening his biggest cash-cow. While Buffett shakes in his billionaire-boots, only a few investors are embracing this new market which experts say will be worth over $2 trillion. Find out how you can cash in on this technology before the crowd catches on, by jumping onto one company that could get you the biggest piece of the action. Click here to access a FREE investor alert on the company we're calling the "brains behind" the technology.


Read/Post Comments (5) | Recommend This Article (0)

Comments from our Foolish Readers

Help us keep this a respectfully Foolish area! This is a place for our readers to discuss, debate, and learn more about the Foolish investing topic you read about above. Help us keep it clean and safe. If you believe a comment is abusive or otherwise violates our Fool's Rules, please report it via the Report this Comment Report this Comment icon found on every comment.

  • Report this Comment On July 22, 2014, at 2:25 PM, Resco wrote:

    For a moment I thought I had arrived at The Onion. This "security breach" that these esteemed researchers just "discovered" is by design and has existed for 15 years.

  • Report this Comment On July 22, 2014, at 3:57 PM, OldeKingTroll wrote:

    " This "security breach" that these esteemed researchers just "discovered" is by design and has existed for 15 years."

    True.

  • Report this Comment On July 22, 2014, at 7:02 PM, ThisUsername wrote:

    Also you are only able to find the past 30 or so days of purchase history and not all purchases are shown.

  • Report this Comment On July 22, 2014, at 10:48 PM, yukon25 wrote:

    These two "researchers" are morons. You've ALWAYS been able to see buying history on eBay. It's not a data breach for heaven's sake.

  • Report this Comment On August 27, 2014, at 11:34 AM, Wordninja wrote:

    Just clicked over to the paper, looks like they also did a survey seeing if users considered their data private (spoiler: they did). So a breach after all, FWIW.

Add your comment.

Sponsored Links

Leaked: Apple's Next Smart Device
(Warning, it may shock you)
The secret is out... experts are predicting 458 million of these types of devices will be sold per year. 1 hyper-growth company stands to rake in maximum profit - and it's NOT Apple. Show me Apple's new smart gizmo!

DocumentId: 3038439, ~/Articles/ArticleHandler.aspx, 10/25/2014 5:27:29 PM

Report This Comment

Use this area to report a comment that you believe is in violation of the community guidelines. Our team will review the entry and take any appropriate action.

Sending report...


Advertisement