Latest eBay Data Breach Shows Deeper Security Concerns Than Reported

eBay (EBAY -1.59%) has a second security problem on its hands.

In May the company's systems were compromised by hackers exposing some information of nearly 150 million eBay users. The company asked all its customers to reset their passwords, but stressed that no financial data -- such as credit card numbers -- had been breached.

Now buyers and sellers using the online marketplace may be revealing far more than they intend to. Researchers at the New York University Polytechnic School of Engineering and NYU Shanghai have discovered a privacy flaw that allows site visitors to view a buyer's complete purchase history. That's a severe privacy breach, potentially revealing very personal information.

The paper was written by Keith W. Ross, dean of engineering and computer science at NYU Shanghai, and Leonard J. Shustek, professor of computer science and engineering at the NYU school of engineering, along with doctoral candidate Tehila Minkus. Minkus and Ross began examining the issue when Minkus, an eBay user, was browsing the feedback section of a would-be purchaser's eBay profile following a botched transaction. Minkus noticed that with very little effort she was able to obtain a list of all prior purchases. Further probing revealed that this was not an anomaly -- it was a problem that could be exploited across all accounts.

"This breach can be exploited on a scale ranging from a snooping spouse or an employer investigating an individual's buying habits to a large-scale, automated attack that could quickly link millions of people with their purchases," Ross said. "This is exactly the kind of information that could be very valuable to marketers, cybercriminals, or even law enforcement officials."

This is clearly an unintentional loophole. eBay would not want to make data public that could embarrass users and send them shopping elsewhere. Having a security breach that lets anyone see what a user buys -- be it bobbleheads or hemorrhoid cream -- could cause customers to flee for more secure stores. 

Did the first breach hurt eBay? 

eBay CFO Bob Swan said on a conference call Wednesday that the initial data breach slowed user activity and revenue in the company's online marketplace. Still, revenue for the quarter in the eBay.com marketplace segment of the business climbed 9% to $2.7 billion.

The marketplace results were also hurt by changes Google (GOOG 0.56%) made to its search engine algorithm, which caused some eBay pages to show up less prominently in search results, The New York Times reported.

"While we are confident we will work through the global password reset and SEO changes, it will take longer and cost more," Swan said during the call. 

There did not appear to be any fallout from the scandal with eBay's other major brand as PayPal -- the company's online payment business -- delivered $1.9 billion in revenue, a 20% increase from the year-ago quarter.

Why is this new security issue a problem?

Researchers were not only able to see what people are buying, in some cases they were able to learn the real names behind eBay usernames. Among a database of nearly 131,000 eBay usernames, they were able to link 17% to Facebook profiles, revealing the users' real names.

"While compiling data on purchasers of pregnancy or at-home HIV tests is useful to a fairly limited group -- perhaps advertisers or pharmaceutical companies -- assembling a database of those who have purchased gun accessories may have considerably more impact," said Minkus.

She explained that while eBay does not sell firearms, the marketplace sells a wide array of gun-related accessories. For this study, the researchers searched for those who had purchased gun holsters, presumably an indication of gun ownership. They recovered sales records for more than 292,827 gun holsters purchased by 228,332 individuals. Of those, 35,262 were linked to full names as they appear on Facebook.

"This privacy loophole can provide leads for law enforcement or private investigators looking for unregistered gun owners, but it can also give private information to background-check providers or data aggregators who want to include gun ownership in their records," Minkus said.

Speaking in very general terms, gun owners tend to like their privacy. It could be very bad for eBay if they realize their purchases can be tracked. Customers buying incontinence products, those purchasing remedies for various embarrassing intimate medical issues, and perhaps those spending money on marital aids would also fall into the groups not eager to have their identities public.

The creators of the study shared their findings with eBay, which has not publicly commented. The company has not responded to a request from the Fool to its general public relations email account.  

eBay has to close this loophole

In addition to sharing their results with eBay, Minkus and Ross offered suggestions to patch the privacy flaw (which I am not detailing here because they include ways to exploit the current security problem). They also recommended that eBay generate random pseudonyms for buyers listed on a seller's feedback pages rather than using a persistent pseudonym.

For eBay users, they recommend maintaining two separate accounts -- a private profile for buying and a public account for selling.

This issue may not be as big as compromised credit card data, but it is a violation of privacy that could cause people making certain types of transactions to leave eBay. Though the company may not be sharing this data intentionally, that does not change that it is out there for anyone to exploit. eBay must act quickly to protect its customers.