An eBay marketing campaign to 4 million shoppers lets anyone who knows the recipients' eBay User ID learn their first names. Having real names included in emails lends them an air of legitimacy that scammers may use in phishing campaigns.

An eBay user wrote about the personalization gaffe on his eBay blog. Jeff Stannard of the Melrose Stamp Company, wrote, "If I don't study emails now close enough and not notice that my last name is not present from an ebay-looking-generated-email, I might just get a hijacked account as a result of my oversight." (http://tinyurl.com/33wynx). Other users expressed similar concerns on an eBay discussion board thread (http://forums.ebay.com/db2/thread.jspa?messageID=1010292224).

eBay recently sent personalized print catalogs through the mail to over 4 million prospective buyers containing URLs to a site called ebayfaves.com. Typing the personalized URLs into a browser sends users to a customized page that displays their first name along with shopping suggestions based on their interests.

Entering random eBay User IDs at the end of the URL brings back either an error page (if not in the database) or a customized page displaying the person's first name.

Ironically, eBay senior director of on-site and direct marketing Shawn Mielke said the problem of spoofed eBay emails was one reason eBay decided to increase its offline marketing efforts when he spoke at the Annual Conference for Catalog, Internet and Multichannel Merchants last year (http://www.dmnews.com/cms/dm-news/catalog-retail/36675.html).

While the ebayfaves.com URL does not expose personal or financial information beyond a user's first name, it can be used in phishing campaigns to help trick unwitting recipients. Last year, AuctionBytes revealed a similar but more serious incident in which anyone could find out if an email address was attached to a PayPal account, and if so, the account holder's full name (http://www.auctionbytes.com/cab/abn/y06/m03/i27/s04). The person who brought the vulnerability to AuctionBytes' attention said the security hole had been in place for about 1 year and that many scammers had been aware of its existence.

The ebayfaves.com URL is registered to Lanya Zambrano at Haggin Marketing Inc., a third-party company that specializes in direct mail and catalogs. eBay's privacy policy outlines the information it may share with other entities (http://pages.ebay.com/help/policies/privacy-policy.html).

eBay and PayPal have areas on their sites devoted to educating users about security issues, and eBay generally recommends users download its toolbar that helps users know if they are on a spoof site.

Update 9/21/07: An eBay moderator posted on the forum discussing this issue the following note: "We truly apologize for any concern these pages have caused our members. This was an error that has been resolved. All pages no longer contain first name information. Thank you for bringing this to our attention and again, our sincerest apologies for this oversight. We will ensure this does not happen again."