April 8, 1999 1:35 PM PDT

Yahoo plugs security breach

In what one expert called a "violation of one of the basic principles of privacy," Yahoo until this afternoon revealed the addresses and order information of customers of one of its e-commerce partners.

Yahoo Store producer Paul Graham said the breach was a software bug that Yahoo fixed as soon as it was notified by CNET News.com. Graham said that all software contains bugs and "it would be na?ve to promise that there'll be no bugs in the future."

"All I can really say is we do care a great deal about privacy," Graham said.

The incident comes as Rep. Edward Markey (D-Massachusetts) prepares to introduce a bill to regulate the use of personal data on the Internet, and as privacy advocates meet in Washington at the Computers, Freedom and Privacy conference.

The information was exposed on a demo site targeted at potential tenants of Yahoo Store. The demo site included customer data from Vitanet, a nutritional-supplement vendor. Included in the exposed order data were partial credit card numbers, products ordered, amounts spent, and a link to a map. The map link went to Yahoo Maps and gave customers' street addresses and a map of their surrounding area. The products ordered and amount spent are still on the site, but can no longer be linked to customers' addresses.

The demo site was easily accessible by going to the Store area from the More Yahoo page. The Store page offers visitors a test drive, which takes users to the "tracking tools" of the demo site. Through the tracking tools, visitors could access individual customer orders.

Although the order data did not include customer names or phone numbers, that information can be easily obtained though reverse lookup directories such as Infospace or Excite People Finder.

Graham said that although the link to customers' addresses had been up for "several weeks," no one at the company was aware of the glitch. Graham added that no one complained to the company about it.

"If someone had had a problem, they would have complained about it to us and we would have jumped right on it," Graham said.

Sandy Davidson, communications law professor at the University of Missouri's journalism school, said the taking of order information and using it for the demo site violated the principle that "information turned over for one use shouldn't be used for another purpose without consent."

Davidson said it is "disturbing" that the demo site provided customer addresses and involved nutritional product orders.

"Nutritional information is getting darn close to medical information, and medical information is the hallmark of privacy," Davidson said.

Vitanet owner Mark Kowalski said Vitanet has been a Yahoo Store tenant since August 1996 and has allowed its order information to be used for the demo site for at least a year. However, he said he was unaware that the demo site provided links to customer addresses and included partial credit card numbers.

"I had no knowledge that that was happening," Kowalski said. "It was probably an oversight, because I wouldn't want it up there."

Kowalski said he has some 20,000 customers. According to the order information, Vitanet has received about 14,700 orders for its products since September 1996. Although Vitanet's store site includes no privacy statement, Kowalski said he doesn't give out personal information.

"That is my policy, even though we don't have a statement on there," Kowalski said.

Jeff Scott of Charlotte was among those whose addresses and orders were exposed by Yahoo. An order he placed on Tuesday provided links to both his work address and his home address, and gave the type of credit card he used and the partial credit card number.

Scott said he often orders merchandise online and he was upset that his order information was made public.

"I generally expect it to be held private within the company itself," Scott said.

2 comments

Join the conversation!
Add your comment
Yahoo security has been breached and they won't fix it.
Yes, I have contacted Yahoo security department, now for the 5th day I cannot access my personal, mail plus account. I sent them all requested information and have gotten autoresponse, and finally one email requesting more information from
Yahoo. This account has access to my photos, employment files. I have notified them daily and still nothing. I checked the Yahoo message board and two other people say the Yahoo has been breached. How can I publicize this and also make Yahoo return my paid account to me. I cannot change my password, which was hacked, because they say my information does not match the set up information, and now they have that information and I am still locked out of my account. Please someone help me. Is there a phone number where I can reach Yahoo?
Thanks
Isabella Hale
Posted by Itsya (7 comments )
Reply Link Flag
my yahoo has been hacked and i can not find a phone # to get help
i need help as well someone and i know who it was has changed my password in my yahoo mail and i need to cancel it who do i call? ndthand@hotmail.com
Posted by ndthand2 (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.