EASTLondon
01-25-2005, 04:01 PM
Published: January 25, 2005, 1:12 PM PST
By Robert Lemos
Staff Writer, CNET News.com
Online financial service PayPal has warned a small number of customers that they should be extra-vigilant against online scams, after their e-mail addresses were leaked on the Internet.
The subsidiary of Web auctioneer eBay said this week that Benchmark Portal had not properly secured an online form for customers to opt out of a recent survey that PayPal had hired the company to perform. PayPal did not reveal how many e-mail addresses had been harvested using the flaw, but called the breach "extremely limited."
"Even first and last names are only kept on our own servers," PayPal spokeswoman Sara Bettencourt said. "All sensitive financial information resides on our servers, and none of that information was ever accessed."
The data leak was possible because of a flaw in the opt-out form provided by Benchmark Portal (http://dw.com.com/redir?destUrl=http%3A%2F%2Fwww.benchmark portal.com%2Fnewsite%2Findex.tml&siteId=3&oId=2100-1029-5550046&ontId=1009&lop=nl.ex), a provider of survey services. The form showed a customer's e-mail address to anyone who guessed a the survey ID for that customer. If the intruder hit on valid number for an ID, the PayPal user's e-mail address was returned.
Benchmark Portal could not immediately be reached for comment.
Bettencourt said that PayPal had contacted every affected user and had reserved a customer service number for them. Because only e-mail addresses were accessed, the consequences of the leak should be minimal, she said. The affected users may get a larger number of e-mail scams than normal, she said.
Like banks and other financial institutions, PayPal is a major target of scams (http://news.com.com/Banks+bearing+the+brunt+of+phishing+scam s/2100-1029_3-5543998.html?tag=nl) known as phishing attacks, because sensitive information gained from customers can be turned into cash. Bettencourt would not discuss whether the data leak had had an impact on PayPal's relationship with Benchmark.
"Right now, we are working with them to make sure that this doesn't occur in the future," Bettencourt said.
News Article Link (http://news.com.com/Data+leak+puts+PayPal+users+at+phishing+ risk/2100-1029_3-5550046.html?tag=cd.top)
By Robert Lemos
Staff Writer, CNET News.com
Online financial service PayPal has warned a small number of customers that they should be extra-vigilant against online scams, after their e-mail addresses were leaked on the Internet.
The subsidiary of Web auctioneer eBay said this week that Benchmark Portal had not properly secured an online form for customers to opt out of a recent survey that PayPal had hired the company to perform. PayPal did not reveal how many e-mail addresses had been harvested using the flaw, but called the breach "extremely limited."
"Even first and last names are only kept on our own servers," PayPal spokeswoman Sara Bettencourt said. "All sensitive financial information resides on our servers, and none of that information was ever accessed."
The data leak was possible because of a flaw in the opt-out form provided by Benchmark Portal (http://dw.com.com/redir?destUrl=http%3A%2F%2Fwww.benchmark portal.com%2Fnewsite%2Findex.tml&siteId=3&oId=2100-1029-5550046&ontId=1009&lop=nl.ex), a provider of survey services. The form showed a customer's e-mail address to anyone who guessed a the survey ID for that customer. If the intruder hit on valid number for an ID, the PayPal user's e-mail address was returned.
Benchmark Portal could not immediately be reached for comment.
Bettencourt said that PayPal had contacted every affected user and had reserved a customer service number for them. Because only e-mail addresses were accessed, the consequences of the leak should be minimal, she said. The affected users may get a larger number of e-mail scams than normal, she said.
Like banks and other financial institutions, PayPal is a major target of scams (http://news.com.com/Banks+bearing+the+brunt+of+phishing+scam s/2100-1029_3-5543998.html?tag=nl) known as phishing attacks, because sensitive information gained from customers can be turned into cash. Bettencourt would not discuss whether the data leak had had an impact on PayPal's relationship with Benchmark.
"Right now, we are working with them to make sure that this doesn't occur in the future," Bettencourt said.
News Article Link (http://news.com.com/Data+leak+puts+PayPal+users+at+phishing+ risk/2100-1029_3-5550046.html?tag=cd.top)