Latest eBay Data Breach Shows Deeper Security Concerns Than Reported

Two NYU professors have uncovered a flaw in the company's system that makes private data public.

Jul 22, 2014 at 10:17AM

eBay (NASDAQ:EBAY) has a second security problem on its hands.

In May the company's systems were compromised by hackers exposing some information of nearly 150 million eBay users. The company asked all its customers to reset their passwords, but stressed that no financial data -- such as credit card numbers -- had been breached.

Now buyers and sellers using the online marketplace may be revealing far more than they intend to. Researchers at the New York University Polytechnic School of Engineering and NYU Shanghai have discovered a privacy flaw that allows site visitors to view a buyer's complete purchase history. That's a severe privacy breach, potentially revealing very personal information.

The paper was written by Keith W. Ross, dean of engineering and computer science at NYU Shanghai, and Leonard J. Shustek, professor of computer science and engineering at the NYU school of engineering, along with doctoral candidate Tehila Minkus. Minkus and Ross began examining the issue when Minkus, an eBay user, was browsing the feedback section of a would-be purchaser's eBay profile following a botched transaction. Minkus noticed that with very little effort she was able to obtain a list of all prior purchases. Further probing revealed that this was not an anomaly -- it was a problem that could be exploited across all accounts.

"This breach can be exploited on a scale ranging from a snooping spouse or an employer investigating an individual's buying habits to a large-scale, automated attack that could quickly link millions of people with their purchases," Ross said. "This is exactly the kind of information that could be very valuable to marketers, cybercriminals, or even law enforcement officials."

This is clearly an unintentional loophole. eBay would not want to make data public that could embarrass users and send them shopping elsewhere. Having a security breach that lets anyone see what a user buys -- be it bobbleheads or hemorrhoid cream -- could cause customers to flee for more secure stores. 

Did the first breach hurt eBay? 

eBay CFO Bob Swan said on a conference call Wednesday that the initial data breach slowed user activity and revenue in the company's online marketplace. Still, revenue for the quarter in the marketplace segment of the business climbed 9% to $2.7 billion.

The marketplace results were also hurt by changes Google (NASDAQ:GOOG) made to its search engine algorithm, which caused some eBay pages to show up less prominently in search results, The New York Times reported.

"While we are confident we will work through the global password reset and SEO changes, it will take longer and cost more," Swan said during the call. 

There did not appear to be any fallout from the scandal with eBay's other major brand as PayPal -- the company's online payment business -- delivered $1.9 billion in revenue, a 20% increase from the year-ago quarter.

Why is this new security issue a problem?

Researchers were not only able to see what people are buying, in some cases they were able to learn the real names behind eBay usernames. Among a database of nearly 131,000 eBay usernames, they were able to link 17% to Facebook profiles, revealing the users' real names.

"While compiling data on purchasers of pregnancy or at-home HIV tests is useful to a fairly limited group -- perhaps advertisers or pharmaceutical companies -- assembling a database of those who have purchased gun accessories may have considerably more impact," said Minkus.

She explained that while eBay does not sell firearms, the marketplace sells a wide array of gun-related accessories. For this study, the researchers searched for those who had purchased gun holsters, presumably an indication of gun ownership. They recovered sales records for more than 292,827 gun holsters purchased by 228,332 individuals. Of those, 35,262 were linked to full names as they appear on Facebook.

"This privacy loophole can provide leads for law enforcement or private investigators looking for unregistered gun owners, but it can also give private information to background-check providers or data aggregators who want to include gun ownership in their records," Minkus said.

Speaking in very general terms, gun owners tend to like their privacy. It could be very bad for eBay if they realize their purchases can be tracked. Customers buying incontinence products, those purchasing remedies for various embarrassing intimate medical issues, and perhaps those spending money on marital aids would also fall into the groups not eager to have their identities public.

The creators of the study shared their findings with eBay, which has not publicly commented. The company has not responded to a request from the Fool to its general public relations email account.  

eBay has to close this loophole

In addition to sharing their results with eBay, Minkus and Ross offered suggestions to patch the privacy flaw (which I am not detailing here because they include ways to exploit the current security problem). They also recommended that eBay generate random pseudonyms for buyers listed on a seller's feedback pages rather than using a persistent pseudonym.

For eBay users, they recommend maintaining two separate accounts -- a private profile for buying and a public account for selling.

This issue may not be as big as compromised credit card data, but it is a violation of privacy that could cause people making certain types of transactions to leave eBay. Though the company may not be sharing this data intentionally, that does not change that it is out there for anyone to exploit. eBay must act quickly to protect its customers.

Warren Buffett: This new technology is a 'real threat'

At the recent Berkshire Hathaway annual meeting, Warren Buffett admitted this emerging technology is threatening his biggest cash-cow. While Buffett shakes in his billionaire-boots, only a few investors are embracing this new market which experts say will be worth over $2 trillion. Find out how you can cash in on this technology before the crowd catches on, by jumping onto one company that could get you the biggest piece of the action. Click here to access a FREE investor alert on the company we're calling the "brains behind" the technology.

Daniel Kline has no position in any stocks mentioned. The Motley Fool recommends eBay and Google (C shares). The Motley Fool owns shares of eBay and Google (C shares). Try any of our Foolish newsletter services free for 30 days. We Fools may not all hold the same opinions, but we all believe that considering a diverse range of insights makes us better investors. The Motley Fool has a disclosure policy.

4 in 5 Americans Are Ignoring Buffett's Warning

Don't be one of them.

Jun 12, 2015 at 5:01PM

Admitting fear is difficult.

So you can imagine how shocked I was to find out Warren Buffett recently told a select number of investors about the cutting-edge technology that's keeping him awake at night.

This past May, The Motley Fool sent 8 of its best stock analysts to Omaha, Nebraska to attend the Berkshire Hathaway annual shareholder meeting. CEO Warren Buffett and Vice Chairman Charlie Munger fielded questions for nearly 6 hours.
The catch was: Attendees weren't allowed to record any of it. No audio. No video. 

Our team of analysts wrote down every single word Buffett and Munger uttered. Over 16,000 words. But only two words stood out to me as I read the detailed transcript of the event: "Real threat."

That's how Buffett responded when asked about this emerging market that is already expected to be worth more than $2 trillion in the U.S. alone. Google has already put some of its best engineers behind the technology powering this trend. 

The amazing thing is, while Buffett may be nervous, the rest of us can invest in this new industry BEFORE the old money realizes what hit them.

KPMG advises we're "on the cusp of revolutionary change" coming much "sooner than you think."

Even one legendary MIT professor had to recant his position that the technology was "beyond the capability of computer science." (He recently confessed to The Wall Street Journal that he's now a believer and amazed "how quickly this technology caught on.")

Yet according to one J.D. Power and Associates survey, only 1 in 5 Americans are even interested in this technology, much less ready to invest in it. Needless to say, you haven't missed your window of opportunity. 

Think about how many amazing technologies you've watched soar to new heights while you kick yourself thinking, "I knew about that technology before everyone was talking about it, but I just sat on my hands." 

Don't let that happen again. This time, it should be your family telling you, "I can't believe you knew about and invested in that technology so early on."

That's why I hope you take just a few minutes to access the exclusive research our team of analysts has put together on this industry and the one stock positioned to capitalize on this major shift.

Click here to learn about this incredible technology before Buffett stops being scared and starts buying!

David Hanson owns shares of Berkshire Hathaway and American Express. The Motley Fool recommends and owns shares of Berkshire Hathaway, Google, and Coca-Cola.We Fools don't all hold the same opinions, but we all believe that considering a diverse range of insights makes us better investors. The Motley Fool has a disclosure policy.

©1995-2014 The Motley Fool. All rights reserved. | Privacy/Legal Information