Eve.com scrambles to assess security breach

Discovered by San Francisco Bay Area software developer Jonathan Khoo, the breach allowed customers to view other people's orders by simply changing a number in the URL. The breach exposed customers' names and addresses, products and the dates on which they were ordered, the types of credit cards customers used, and the last five digits of the cards' numbers.

"You'd think they would check to see if each page was an order you placed as opposed to anyone else's order," Khoo said. "This shouldn't be happening."

Alerted to the problem by CNET News.com, Eve.com took its Web site down sometime between 2:30 p.m. and 3:30 p.m. PT. As of 5:20 p.m., the site was still down.

"Privacy and security is and has always been the No. 1 priority for Eve," Dan McMahon, Eve.com's executive vice president of technology, said in a statement. "We are very concerned about customers' privacy and take these matters very seriously."

The breach follows closely on the heels of several other recent privacy problems. Last week, IKEA shut down its catalog order site after a privacy breach exposed customer order information. And a glitch at Amazon.com last week exposed the email addresses of many of its Affiliate members.

The problem at Eve.com, an Internet beauty-products retailer, potentially exposed the company's entire order history. A random check by CNET News.com revealed some 168,000 orders dating back to May 31, 1999.

San Francisco-based Eve.com, which is backed by Idealab, officially opened for business in June 1999.

Khoo said he discovered the problem yesterday while checking the site for the status of his own order.

The security breach at Eve.com is similar to one discovered last year at e-tailer Netmarket.com. As with the Eve.com breach, the one at Netmarket involved customer order numbers incorporated into a URL.