The subsidiary of Web auctioneer eBay said this week that BenchmarkPortal had not properly secured an online form for customers to opt out of a recent survey that PayPal had hired the company to perform. PayPal did not reveal how many e-mail addresses had been harvested using the flaw but called the breach "extremely limited."
"Even first and last names are only kept on our own servers," PayPal spokeswoman Sara Bettencourt said. "All sensitive financial information resides on our servers, and none of that information was ever accessed."
The data leak was possible because of a flaw in the opt-out form provided by BenchmarkPortal, a provider of survey services. The form showed a customer's e-mail address to anyone who guessed BenchmarkPortal's survey ID for that customer. If an intruder guessed a valid ID number, the corresponding PayPal user e-mail address was returned.
BenchmarkPortal could not immediately be reached for comment.
Bettencourt said PayPal had contacted every affected user and had reserved a customer service number for them. Because only e-mail addresses were accessed, the consequences of the leak should be minimal, she said. The affected users may get a larger number of e-mail scams than normal, she said.
Like banks and other financial institutions, PayPal is aknown as phishing attacks, because sensitive information gained from customers can be turned into cash. Bettencourt would not discuss whether the data leak had an impact on PayPal's relationship with BenchmarkPortal.
"Right now, we are working with them to make sure that this doesn't occur in the future," Bettencourt said.