Update/Clarification: eBay reached out to DataBreaches.net to ask that we make clear that the breach did not occur after eBay purchased the site, but rather, it occurred while it was still on the W3 system – before eBay bought it. eBay also notes that “we launched an entirely new platform on January 15, 2015 when the acquisition was finalized that includes, among other things, enhanced security measures to protect our customers. The new platform follows strict protocols to keep personal information secure. The new platform has not been compromised.”
Original story:
On March 5, Peter M. Zollman reports:
Vivanuncios, the Mexican classified [ads] website recently purchased by EBay from W3 Ltd., has been hacked.
The companies disclosed the data theft on Thursday after inquiries from the AIM Group, which was informed of the hack by a man who claims to run a Belgian classified site.
Read more of his original coverage on AIM Group.
Today, Zollman reports that the breach was worse than what they originally reported:
The data breach at Vivastreet, owner of Vivanuncios in Mexico and a number of other classified sites, may have been much worse than we originally reported. Vivanuncios and its parent company, W3 Ltd. of London, said they will notify users of the site or sites affected, along with appropriate regulatory authorities.
[…]
The data that were openly available on Vivastreet servers represent potentially millions of email addresses, passwords, phone numbers, postal codes and IP addresses.
W3 founder and CEO Jean Yannick Pons said data was downloaded from his servers.
“W3 Inc. is aware of an intrusion into our Vivastreet customer database,” he told the AIM Group in an email. “We have evidence that limited, non-financial, personal information for a subset of our users — emails, hashed passwords, phone numbers — has been accessed by an outside party. We are actively investigating this matter with urgency.”
[…]
Frederic Peters, who operates the Petites Annonces (www.petitesannonces.be) classified site in Belgium, claimed to have downloaded the user data from Vivanuncios. He sent the AIM Group a 96 MB sample file with 86,000 email addresses from the Mexican site as proof. “I am still grabbing the data right now,” he said in an email on Feb. 28. “I started from 1st December 2014 when I discovered the data breach. My personal computer ran until the 15 January 24h / 24.”
Read more on AIM Group.
It’s interesting that Peters reported the breach to AIM Group and not to a major news outlet or a site that focuses on breaches. It would have been very easy to miss this breach report. Of course, there’s also the issue of whether this was really any “hack,” as Peters was just scraping the site and the data were available. But once he found the problem, why didn’t he notify them promptly?
In a series of lengthy emails, Peters told the AIM Group his collection of data from Vivanuncios was not for malicious purposes, but rather for leverage against W3 classified site Vivastreet, which Peters claims unfairly competes with Petites Annonces in Belgium.
All’s fair in business? I don’t think so….
Good questions ! the fact is that he notified them:
http://www.petitesannonces.be/temp/fb-vivastreet-databreach.png
http://www.petitesannonces.be/temp/vivastreet-pons-virginie-viber.jpg
For the second I would say: “It is said that there is none so deaf as he who will not hear.”
the way Virginie Pons replied to journalist to such questions in 2006 shows that they prefer to close their eyes as long as money comes in.
For the first one. I am astonished. 1 month to have a reaction.
I think, and this is my personal opinion. Ebay scrapped the data “tambien” to make several things, like data anlaysis.
I was reading twitters from Ebayclassified employe. This guy love to analyse trends series.