An eBay moderater apologized to users on a Trust & Safety discussion board over an incident that took place on Friday in which a hacker was able to suspend some member accounts. He explained, "This fraudster found very old administrative functions that had not been deactivated several years ago when we changed the security of our internal systems. These functions were still accessible on public servers, while the rest of our functionality is now behind multiple layers of security. We immediately identified the functions that he accessed and deactivated, and we are undergoing an audit to ensure obsolete code that may still exist for other reasons is secure."
Friday's incident was detailed on the AuctionBytes blog on Saturday and was believed by users to have been committed by a fraudster called Vladuz (http://blog.auctionbytes.com/cgi-bin/blog/blog.pl?/pl/2007/10/1191718840.html). The story was picked up on Monday by IDG News Service reporter Juan Carlos Perez (http://www.pcworld.com/article/id,138193-c,hackers/article.html).
The eBay moderator, posting on Monday evening, said no financial information had been accessed ("that is because credit card data is protected at a much higher level than contact information") and called the number of affected accounts a "handful."
He told affected users to write him at john_security@ebay.com if they had not received a phone call from eBay.
http://forums.ebay.com/db2/thread.jspa?threadID=2000445800
