January 25, 2005 1:12 PM PST

Data leak puts PayPal users at phishing risk

Related Stories

Banks bearing the brunt of phishing scams

January 20, 2005

Identity thief gets 14 years

January 12, 2005

Judge raps eBay over fraud

December 7, 2004

Caught in a phishing trap

November 17, 2004
Online financial service PayPal has warned a small number of customers that they should be extra-vigilant against online scams, after their e-mail addresses were leaked on the Internet.

The subsidiary of Web auctioneer eBay said this week that BenchmarkPortal had not properly secured an online form for customers to opt out of a recent survey that PayPal had hired the company to perform. PayPal did not reveal how many e-mail addresses had been harvested using the flaw but called the breach "extremely limited."

Related feature
Have you been phished?
Check here to see whether an e-mail that appears to be from your bank or an online merchant is actually an attempt to defraud you.

"Even first and last names are only kept on our own servers," PayPal spokeswoman Sara Bettencourt said. "All sensitive financial information resides on our servers, and none of that information was ever accessed."

The data leak was possible because of a flaw in the opt-out form provided by BenchmarkPortal, a provider of survey services. The form showed a customer's e-mail address to anyone who guessed BenchmarkPortal's survey ID for that customer. If an intruder guessed a valid ID number, the corresponding PayPal user e-mail address was returned.

BenchmarkPortal could not immediately be reached for comment.

Bettencourt said PayPal had contacted every affected user and had reserved a customer service number for them. Because only e-mail addresses were accessed, the consequences of the leak should be minimal, she said. The affected users may get a larger number of e-mail scams than normal, she said.

Like banks and other financial institutions, PayPal is a major target of scams known as phishing attacks, because sensitive information gained from customers can be turned into cash. Bettencourt would not discuss whether the data leak had an impact on PayPal's relationship with BenchmarkPortal.

"Right now, we are working with them to make sure that this doesn't occur in the future," Bettencourt said.

2 comments

Join the conversation!
Add your comment
REALLY?!?!
An email that looks like it came from PayPal that's not what it appears to be? Who'da thunk??
Posted by Jim Harmon (329 comments )
Reply Link Flag
PayPal Allows Fraud !
I just finish winning an auction on Ebay and went to pay for it using the <PAY> button on the screen. When I went to pay using my PayPal account it would only allow me to pay using Direct Transfer or eCheck, the two least secure methods. When I finally got in contact with Custoemr Service I was told that PayPal employs analytical safeguards to identify patterns of high-risk transaction behavior in their system. I asked her what variables where they using to determine this she said she did not know. I asked if there was a a problem with my account or credit card, she replied "No." I asked how using Direct Transfer or eCheck protects me the buyer and she replied, it doesnt.

PayPal offers no protection for using Direct Transfer or eCheck so if you end up being the victim of a scam which is becoming an epidemic on Ebay youre out. PayPals so called Buyer Protection is another scam because you have to pay a fee for it and most of the time they will find a way to disqualify or dismiss a complaint. PayPal and Ebay are in the business of scamming both Buyers and Sellers. Its no wonder why Ebay has had to adjust their earning projects in recent days. People are quickly finding out that they facilitate the fraudulent actions on their website and then play dumb. Their purchase of PayPal was just to increase their money making scam. The Federal Government needs to get involved and shutdown Ebay and Paypal.
Posted by Cloz68 (6 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.