Auction giant eBay is warning users about possible attempts to gain access to
their private information and said that it shut down its “change your
password” feature temporarily to install a fix for a hole in its security
system.
The password-change function was disabled between approximately 5:30 p.m. PST
on Tuesday and 1:19 a.m. PST today, eBay spokesman Kevin Pursglove said,
adding that “we have identified and corrected the issue and the function is
once again accessible.”
The security hole had let anyone who already has the user ID of an account go
in through eBay’s password-change feature, change the legitimate user’s
password and gain access to the account.
“We apologize for any inconvenience to eBay users who attempted to use the
function during these times but we believed the action we took was
necessary,” Pursglove said. “We continue to review the situation and will
update the community as needed.”
The warning about the e-mail scam came in an announcement on the site, in
which eBay said that several of its users “have notified us about a possible
attempt to gain access to their private information through an e-mail
solicitation made to appear as if it is originating from eBay.”
The company is also said to be working to resolve a
problem that allows automated programs to generate passwords looking for one
that works on a known eBay user ID.
Fraud clearly is a concern at San Jose, Calif.-based eBay. Pursglove has said
that less than one one-hundredth of 1 percent of its listings end in
confirmed cases of fraud. However, that’s enough to warrant telling
investors.
In a
recent filing with the Securities and Exchange Commission, eBay said that
it believes “that government regulators have received a substantial number of
consumer complaints about us, which, while small as a percentage of our total
transactions, are large in aggregate numbers. As a result, we have from time
to time been contacted by various foreign, federal, state and local
regulatory agencies and been told that they have questions with respect to
the adequacy of the steps we take to protect our users from fraud.”