Pinterest Stumbleupon Whatsapp
Ads by Google

eBay has made its fortune from people spending money; it now has 162 million users, saw $82 billion of sales in 2015, receives 250 million search requests per day, and has an annual revenue in excess of $8.5 billion.

It might be reasonable, therefore, to expect the site to be one of the most secure on the entire web How to Get Chrome to Warn You When Websites Are Insecure How to Get Chrome to Warn You When Websites Are Insecure Chrome can now give you a heads-up when you're browsing a site that isn't private, and it only takes a second to enable. Read More . Worryingly, it’s not.

In the last few years, eBay has been hit with seemingly endless hacks, data breaches, and security flaws. In this article, we take a look at some of the problems that eBay has encountered and use them to highlight the reasons why you should avoid the company.

The 2014 Hack

The most famous eBay breach The eBay Data Breach: What You Need To Know The eBay Data Breach: What You Need To Know Read More occurred in late-February and early-March of 2014.

The Syrian Electronic Army (SEA) took responsibility for the attack, which stole up to 145 million users’ email addresses, physical addresses, phone numbers, dates of birth, and encrypted passwords Every Secure Website Does This With Your Password Every Secure Website Does This With Your Password Have you ever wondered how websites keep your password safe from data breaches? Read More . eBay claimed that no bank account details were revealed; the SEA said they had bank account details but would not misuse them.

Ads by Google

Slow to Respond to Problems

Having all that data stolen is bad enough, but what’s worse is that it took eBay until May to make the details of the hack public.

Even after the delay, it was a botched response. Firstly, a post went up on eBay’s blog detailing the hack. That was then taken down again as eBay laboriously emailed all users to notify them. There was no homepage splash and no public press release or statement.

Users were furious. “Just wondering why I’m hearing this from BBC before eBay,” said one reader on the BBC’s website.

Eventually, the company released the following statement:

“After conducting extensive tests on its networks, we have no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.”

eBay then promised to implement a tool which would require users to change their password eBay Urges Users To Change Their Passwords After Cyberattack eBay Urges Users To Change Their Passwords After Cyberattack If you are an eBay user, then change your passwords immediately. That is the message coming from eBay headquarters, who are facing the embarrassment of having a database hacked and users' encrypted passwords stolen. Read More when they next logged in. It took several weeks to go live.

It shouldn’t take this long to have something in place that forces users to change their passwords, and it should have let people know what was happening – it doesn’t take much time to send an email out for goodness sake,” security expert Alan Woodward told the BBC at the time. “It builds a picture of a firm with serious questions to answer.

Lack of Encryption

The hack also raised questions over the company’s database security. Experts around the world questioned why the personal information they held was not encrypted.

Once again, eBay’s response was lukewarm:

“We provide different levels of security based on different types of information we’re storing and all financial information across all of our business is encrypted.”

The quote appeared to suggest that eBay didn’t view its users’ private information as important. No doubt 145 million people thought otherwise.

Lack of Concern About Individual Hacks

It’s not just the newsworthy hacks where the company has failed. Their customer service email system also leaves a lot to be desired, as evidenced by a famous post by a user called madonna_1966.

Her Yahoo email account was hacked Are Hacked Email Account Checking Tools Genuine Or A Scam? Are Hacked Email Account Checking Tools Genuine Or A Scam? Some of the email checking tools following the alleged breach of Google servers weren't as legitimate as the websites linking to them might have hoped. Read More so she moved quickly to notify eBay. Initially, they removed all her pending listings and temporarily put a block on her bank cards. So far, so good.

ebay-hack-blog

However, as she was dealing with them via a non-eBay registered email, they advised her that they’d sent instructions on how to restore her account to her eBay email account — the same one as she had just told them had been hacked. They had just given the hacker a free pass to her eBay account.

As she wrote in her post, “1) Why did they take 2-3 days to acknowledge my plea. 2) If they can send a reply to a new email address why can’t they send the instructions as well?“.

Post-2014 Fallout

Given the way eBay reacted to the Spring 2014 hack, it was somewhat unsurprising that the world’s hackers descended on the company to try and find further flaws.

It didn’t take them long.

Any Account Hackable in Less Than a Minute

An Egyptian security researcher called Yasser Ali found that he could hack anyone’s account if he knew the account holder’s real name; in the age of social media, that’s readily available information.

It worked thanks to eBay using a random code value as an HTML form parameter. The random code was then repeated within the link generated by the automatic “reset password” email that’s sent to users, thus meaning that the email link stage could be bypassed.

ebay-hack

He told eBay about the loophole in June 2014. It took eBay until September to do anything about it. During that time, any sophisticated hacker could have launched an automated mass password reset request attack for all accounts that were hacked in the Spring.

Are you starting to notice a common theme here?!

eBay Don’t Pay White Hat Hackers

Ali quit his job as a mechanical engineer to focus on information security and reportedly found several more bugs within the site.

ebay-hackers-list

However, unlike Google, Facebook, and other similar companies, eBay do not pay “good guy” hackers Facebook Will Pay You $500 If You Do This One Thing Facebook Will Pay You $500 If You Do This One Thing Facebook has paid out hundreds of thousands of dollars to regular users for doing one simple thing. Read More for vulnerability information. Instead, they merely publish a list of people who have helped out. Unsurprisingly, Ali stopped looking and now solely focuses on working with companies that do pay.

Who knows what other flaws are sitting there waiting to be discovered by would-be criminals?

The Problems Continue

There have been plenty more horror stories in the intervening years.

In late 2014 it was revealed that hundreds of listings had been created using cross-site scripting which, when clicked, directed users to everything from password harvesting scams to vicious malware 5 Sites to Learn the History of Malware 5 Sites to Learn the History of Malware Experience malware from the pre-Internet age. These websites will let you dig through the history of the humble computer virus. Read More . It was taking eBay more than 12 hours to remove each reported listing.

Elsewhere, a teenager from Australia called Joshua Rogers found an information leakage flaw and an SQL injection vulnerability. Once again, it took eBay several weeks to fix.

Refusal to Fix Flaws

Fast-forward to the present day and the company is still struggling How to Stay Safe from eBay's Newest Security Vulnerability How to Stay Safe from eBay's Newest Security Vulnerability A security vulnerability is putting eBay users in danger, but the auction website has issued only a partial fix, instead of a complete one. So what is the vulnerability, and how can you stay safe? Read More .

In early 2016, eBay told security firm Check Point that it had no plans to fix a vulnerability that put users at risk of a wide range of threats, including phishing attacks and malware.

ebay-checkpoint

That attack utilizes JSF*ck and allows hackers to send users a legitimate page that contains malicious code. If a customer opens the page, Check Point claim it could “lead to multiple ominous scenarios that range from phishing to binary download.”

eBay was notified on 15th December but told Check Point on 16th January that they would not fix it.

In a statement, they said:

“As a company, we’re committed to providing a safe and secure marketplace for our millions of customers around the world. We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure.”

Very comforting.

Are eBay Trustworthy?

As you will have ascertained, it seems eBay oscillate between incompetent and shambolic when it comes to security concerns.

Frankly, there is no way that a company of such size should have had so many things come to light in such a short period of time. We have to accept that things will occasionally go wrong, but eBay’s incredibly slow response time coupled with their lack of concern for serious flaws is extremely concerning. It seems like they have learned little in the last two years.

The bottom line is this: at best they will fix issues eventually, at worst, they’ll ignore them and hope no one notices.

Do these issues concern you? Have you fallen victim to one of the hacks? Do you trust the firm? As always, you can let us know your thoughts, opinions, and stories in the comments box below.

  1. J
    September 29, 2016 at 1:18 am

    Bastages! I've been trying to sell an item on eBay now for two weeks. And for the 4th time, the item was attempted to be purchased fraudulently by different hacked accounts.

    And all eBay says, "sorry, we realize your upset. But there is nothing we can do. Maybe try waiting a few days before relisting your item. So maybe we can track down the hacker and try to block them."

    Meanwhile the item's value is dropping rapidly as the manufacturer has just announced a new and improved model. I've watched the value drop by $75 dollars in the past few weeks. To which one eBay rep said "sorry... um... I can send you a $15 voucher that you can use for a future purchase." Which by the way, they have not delivered yet.

    Bye Bye eBay. Have fun storming the castle.

  2. KEG99
    April 12, 2016 at 12:37 pm

    Great article. But may I suggest you watch for plurals when singulars apply:

    eBay do not pay

    Are eBay Trustworthy

    eBay oscillate between

    • Kathy Perow
      April 12, 2016 at 3:27 pm

      Thank you! It made me crazy, too. Hey, Dan! Where was your editor?

      • Dan Price
        April 12, 2016 at 4:29 pm

        Hi. My bad I'm afraid - that's how we write it in the UK and both myself and my editor are English, so this slipped through the net!

  3. Debra
    April 10, 2016 at 6:33 am

    I wish there was some place of serious competition for sellers at eBay to move away to another platform. I think they have been so big, they don't seriously care. I tried listing on Bonanza.com, and in months I haven't had a single sale. Back in 2008 lots of eBay sellers wanted to move away, there wasn't a good enough option even then to succeed. Would love to find an alternative.

    • Robert
      April 12, 2016 at 1:47 am

      There is actually, mercari is one of them. But it is still smaller compared with ebay though.

  4. Bogart
    April 9, 2016 at 9:08 am

    The problem is, competitors doesn't know how to advertise themselves against eBay so people doesn't know the alternative. I could quit selling on eBay but the buyers are still there, so it's hard for me to migrate.

    • fcd76218
      April 9, 2016 at 1:37 pm

      When people think of online selling, they automatically think 'eBay'.

      If you go to a bookstore, you can find dozens of books about shopping on eBay. I can't remember ever seeing even one book about Craigslist. Many Linux distros used to include an eBay bid tracking app in their repositories.

      Unfortunately, the people who could force eBay to change their policies, the customers, do not know about the security problems and other shenanigans that go on at eBay. If 50%-75% of eBay buyers and sellers suddenly went someplace else, eBay management would correct most problems almost overnight. However, that is not going to happen.

  5. Read and Share
    April 8, 2016 at 6:01 pm

    When I read the title, my first thought was "media hype" -- OK, seven reasons to be careful while using EBay, but to avoid entirely??

    After reading the article, I now think: we must all vote with our wallets. If we don't, then things (like storing personal info in plain, readable format) will never change!

    But EBay won't even notice if I stop signing in. What is the best way to let them know why I won't be signing in until things change?

Leave a Reply

Your email address will not be published. Required fields are marked *