eBay Bids to Fix a Security Hole
See? You don’t just have to be a buzzy social network to suffer through security problems. You can be a relatively staid Web 1.0 giant, too. eBay (EBAY) is warning developers who build programs that incorporate the online marketplace’s engine about a security breach.
In letters to sent Monday to 90,000 developers who work on eBay’s Developers Program, the company warns about a security hole that could cause problems, but hasn’t yet. It also takes pains to point out that the security flaw doesn’t affect eBay customers themselves. eBay says third-party software now accounts for 25 percent of its listings.
An eBay spokesman tells me that eBay came across the weakness itself not because a hacker had exploited it, and that the company is acting “out of an abundance of caution,” which is a term the eBay folks seem to favor (see email text below). “The information that *may* have been compromised consisted of basic contact information that could potentially be used in a phishing attack. At this point, we have not identified any unusual patterns in our developer accounts and we are notifying them and requesting they change their developer passwords out of an abundance of caution [sic].”
Here’s the complete text of eBay’s heads-up letter:
Hello [redacted], this is Kumar Kandaswamy, and I manage the eBay Developers Program. I’d like you to read this important message about account safety. The safety and security of the eBay Developers Program is a top priority. While we believe that people are basically good, we also must live with the reality that there are fraudsters out there who have made it their illicit “profession” to find ways to exploit others on the Internet.
Occasionally, fraudsters attempt to gain unauthorized access to the eBay Developers Program. eBay has recently identified a means by which someone could gain access to eBay Developers Program account information. This type of access DOES NOT allow the capture of financial or other sensitive information, such as credit card or bank account information or Social Security numbers.
Fortunately, we have not detected any unusual activity with any Developer account. Out of an abundance of caution and to help ensure the security of the eBay Developers Program, we are requiring that all developers take the following steps:
* Take advantage of our new, stricter password standards and change your eBay Developers Program (developer.ebay.com) passwords. It is not necessary to change eBay (www.ebay.com) passwords. If you believe you or your customers have been the victim of fraudulent activity, contact us immediately at apifeedback@ebay.com.
Sincerely, Kumar Kandaswamy