Beware when shopping online this holiday season as at least one eBay merchant has been found to have exposed the personal information of hundreds of Australians on the internet.
Detailed information about a particular eBay seller's customer transactions - including their phone numbers, postal addresses, email addresses and what a customer purchased - were found on the web for anyone to access via a Google search.
The merchant, "shahizanhashim", is based in Malaysia. It sells clothing on the auction site and exposed the details of 303 Australians who purchased items through its eBay account on their business website tropicalsale.com, which eBay said it was able to shut down this afternoon.
In a statement the merchant's owners apologised to customers and said they didn't realise Google had indexed their website containing customer information.
The total database of 791 customer transactions, which includes 228 transactions with customers in the US, was found to have been left wide open after an Australian eBay user discovered the page after doing a Google search for her name.
The customer, who didn’t want to be named because she feared people could still Google her name and find her personal information, said she recently bought Christmas presents from the eBay seller.
"I found that my personal details have been comprised and are floating around in internet land for all to see," she said.
"It sends a clear warning to eBay buyers that you may think your details are safe but they are not."
After being contacted for comment this afternoon, eBay's Australian head of communications, Sandy Culkoff, said the auction company was successfully able to shut down the page which was hosted on the merchant's own website, not eBay's.
"No personal financial information, such as credit card details, were provided by eBay or exposed by the seller," she said.
"eBay is in the process of identifying data that may have been exposed on the seller's website," she said. "eBay will continue to evaluate the functionality of the seller's website and work with the seller and any impacted buyers."
The Australian Privacy Commissioner, Timothy Pilgrim, said he was aware of the incident "and it is concerning".
“eBay have contacted us about this matter and are keeping us informed," he said.
Anyone who visited the merchant's page which wasn't secured by a password could search its customer database based on a customer's eBay ID, item number, country or status.
"It's not just a lapse in security but a total absence of it," said Australian security expert at Sophos, Paul Ducklin.
"This isn't even a 'direct object reference' vulnerability, where you guess a user's ID or a sequence number to insert into a URL. It's just an online order processing system which is completely open to anyone, including search engines."
Full-time owners of the compromised merchant which has been operating since 2005 on eBay, husband and wife Shahizan and Zaini Hashim, said in an email to Fairfax that they would like to apologise for exposing customers' information.
"We will not be using the online data again," they said. "This is a hard lesson for us."
They said they would let customers "know later" about the issue.
The website containing customer information was created by them because "eBay has limited functionality for us to track the records of our customers' needs," they said.
"The reason why we put [it on] the web [was] because we can access the information easily from anywhere, as we do travel a lot."
By having the data on web, they said they could "manage easily" packages being shipped. "Our business ship[s] hundreds of packages every month and it is very hard to keep track of them just by using what [is] available on eBay."
They said they didn't realise the website exposing customer data had been indexed by Google and thought they were the only ones who could access it as they were the only ones who knew the URL.
"The [person] who found this [information] must be typing the address [in a] browser and [got] it by chance."
They said they were not "aware that keeping the information would be an offence".
The breach follows ANZ today disabling parts of its online account services after a security flaw was discovered that exposed customers' personal banking details through electronic statements. The problem may take weeks to fix.
This reporter is on Facebook: /bengrubbeBay is investigating the incident further and the seller is cooperating with us in the process.
Sign up for our newsletter to stay up to date.