RealTime IT News

eBay Battling Security Woes

Auction giant eBay is warning users about possible attempts to gain access to their private information and said that it shut down its "change your password" feature temporarily to install a fix for a hole in its security system.

The password-change function was disabled between approximately 5:30 p.m. PST on Tuesday and 1:19 a.m. PST today, eBay spokesman Kevin Pursglove said, adding that "we have identified and corrected the issue and the function is once again accessible."

The security hole had let anyone who already has the user ID of an account go in through eBay's password-change feature, change the legitimate user's password and gain access to the account.

"We apologize for any inconvenience to eBay users who attempted to use the function during these times but we believed the action we took was necessary," Pursglove said. "We continue to review the situation and will update the community as needed."

The warning about the e-mail scam came in an announcement on the site, in which eBay said that several of its users "have notified us about a possible attempt to gain access to their private information through an e-mail solicitation made to appear as if it is originating from eBay."

The company is also said to be working to resolve a problem that allows automated programs to generate passwords looking for one that works on a known eBay user ID.

Fraud clearly is a concern at San Jose, Calif.-based eBay. Pursglove has said that less than one one-hundredth of 1 percent of its listings end in confirmed cases of fraud. However, that's enough to warrant telling investors.

In a recent filing with the Securities and Exchange Commission, eBay said that it believes "that government regulators have received a substantial number of consumer complaints about us, which, while small as a percentage of our total transactions, are large in aggregate numbers. As a result, we have from time to time been contacted by various foreign, federal, state and local regulatory agencies and been told that they have questions with respect to the adequacy of the steps we take to protect our users from fraud."