Insecure online forms put PayPal users at risk
Published: 26 Jan 2005 09:20 GMT
Online financial service PayPal has warned a small number of customers that they should be extra-vigilant against online scams, after their email addresses were leaked on the Internet.
The subsidiary of Web auctioneer eBay said this week that BenchmarkPortal had not properly secured an online form for customers to opt out of a recent survey that PayPal had hired the company to perform. PayPal did not reveal how many email addresses had been harvested using the flaw but called the breach "extremely limited".
"Even first and last names are only kept on our own servers," PayPal spokeswoman Sara Bettencourt said. "All sensitive financial information resides on our servers, and none of that information was ever accessed."
The data leak was possible because of a flaw in the opt-out form provided by BenchmarkPortal, a provider of survey services. The form showed a customer's email address to anyone who guessed BenchmarkPortal's survey ID for that customer. If an intruder guessed a valid ID number, the corresponding PayPal user email address was returned.
BenchmarkPortal could not immediately be reached for comment.
Bettencourt said PayPal had contacted every affected user and had reserved a customer service number for them. Because only email addresses were accessed, the consequences of the leak should be minimal, she said. The affected users may get a larger number of email scams than normal, she said.
Like banks and other financial institutions, PayPal is a major target of phishing attacks, because sensitive information gained from customers can be turned into cash. Bettencourt would not discuss whether the data leak had an impact on PayPal's relationship with BenchmarkPortal.
"Right now, we are working with them to make sure that this doesn't occur in the future," Bettencourt said.
Did you find this article useful?
66 out of 141 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
