eBay has been forced to close down one of its community message boards today after what appeared to be sensitive personal information was posted in public. User IDs, email addresses, name and address, Powerseller details and eBay registration dates as well as credit card numbers, expiry dates and CVV security numbers were posted on the US Trust and Safety Board this afternoon. Those who saw the incident report that around twenty pages of details were posted.
At the same time, some members were urging others to take screen shots and contact the media about the breach of security, while others complained that Liveworld, who manage eBay’s community chat boards, were pulling posts for minor infringements of their rules while leaving the personal information up for all to see. Auctionbytes reports that posts were visible for about an hour altogether, before eBay closed the T&S board altogether.
Whether the information is actually genuine is not yet clear: credit card details together with eBay registration information suggest that the source is – or is meant to seem to be – eBay itself. As merchants are not supposed to store CVV numbers, if the data is genuine, it may be the results of a phishing exercise. There is a possible PayPal connection too, as at least some of the message board thread titles are a jumble of letters and numbers that strongly resemble PayPal transaction numbers. Moreover, the posts appear to have been made by someone who had taken over a number of different genuine members’ accounts.
We’re currently seeking clarification on exactly what has gone on, and how serious a breach of eBay’s security this could be. I’ll update this post as we get more information, so do check back later.
Update: The first explanation of events has been and gone, with Xavier on the Australian community boards apparently stating “The site wasn’t actually hacked… it was a server issue where the system displayed the poster’s information rather than the post itself. Being that the credit card information was on a different server, that info came up incorrect.” Given that Xavier’s post itself has now been removed, I think we can take this explanation as incorrect.
Update: We’ve been sent this list of possibly compromised accounts. I have no indication of the source or veracity other than what’s on that page, but it’s probably worth casting an eye over the list for your IDs, and certainly worth notifying your card issuers if you’re there.
Update 19h20: The Chatter has a post about the incident, which suggests that the posts may have been the result of a phishing exercise:
The posts ALSO appeared to contain credit card information — however, these credit cards are not associated with financial information on file for these users at eBay or PayPal. We’re in the process of reaching out by phone to these members to, so that if the information is valid somehow — regardless how this fraudster acquired the information — these members can take the steps they need to take to protect themselves.
This is a pretty speedy response by eBay’s standards, and its good to see them contacting those who may have been affected.