CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry scrambles to assess security breach

The online beauty-products retailer temporarily shuts down its Web site after customers' personal information on thousands of orders is exposed. today temporarily shut down its Web site after a security breach exposed customer order information on thousands of orders dating back to last year.

Discovered by San Francisco Bay Area software developer Jonathan Khoo, the breach allowed customers to view other people's orders by simply changing a number in the URL. The breach exposed customers' names and addresses, products and the dates on which they were ordered, the types of credit cards customers used, and the last five digits of the cards' numbers.

"You'd think they would check to see if each page was an order you placed as opposed to anyone else's order," Khoo said. "This shouldn't be happening."

Alerted to the problem by CNET, took its Web site down sometime between 2:30 p.m. and 3:30 p.m. PT. As of 5:20 p.m., the site was still down.

"Privacy and security is and has always been the No. 1 priority for Eve," Dan McMahon,'s executive vice president of technology, said in a statement. "We are very concerned about customers' privacy and take these matters very seriously."

The breach follows closely on the heels of several other recent privacy problems. Last week, IKEA shut down its catalog order site after a privacy breach exposed customer order information. And a glitch at last week exposed the email addresses of many of its Affiliate members.

The problem at, an Internet beauty-products retailer, potentially exposed the company's entire order history. A random check by CNET revealed some 168,000 orders dating back to May 31, 1999.

San Francisco-based, which is backed by Idealab, officially opened for business in June 1999.

Khoo said he discovered the problem yesterday while checking the site for the status of his own order.

The security breach at is similar to one discovered last year at e-tailer As with the breach, the one at Netmarket involved customer order numbers incorporated into a URL.