X

Glitch reveals Buy.com customer information

The online store says it has repaired an automated product return mechanism that exposed customers' names, phone numbers and addressees over the Internet.

Stephen Shankland Former Principal Writer
Stephen Shankland worked at CNET from 1998 to 2024 and wrote about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise Processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science. Credentials
  • Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
See full bio
Stephen Shankland
2 min read
Online store Buy.com said Thursday it has repaired an automated product return mechanism that exposed customers' names, phone numbers and addressees over the Internet.

"We resolved it as quickly as we could," said Buy.com vice president of operations Tom Wright. "We clearly understand that it's probably sensitive information to our customers."

The problem came through a merchandise return system jointly run by Buy.com and United Parcel Service. Filling out an electronic form generates a Web page with a return shipping label that a customer can print. By modifying a number in the Web address, a person can sift through a large database of mailing labels.

Harvard student Ben Edelman said he discovered the Buy.com breach Thursday when returning some merchandise. An email from the Buy.com system contained the Web address, and it was a simple matter to change it and discover other customer accounts, he said. "This doesn't look very secure," he said upon reading the email.

CNET News.com verified the breach.

The issue is similar to a series of problems that have plagued e-commerce Web sites. Eve.com took its site down when a breach allowed people to view customer orders, the types of credit card used and other information.

Netmarket, Amazon.com and IKEA also have suffered similar problems.

The Buy.com security breach happened on servers maintained by UPS, Wright said. UPS and Buy.com worked together to correct the situation, he said.

Edelman notified Buy.com of the problem Thursday afternoon. The company said it fixed the problem later in the afternoon such that customers could see shipping labels only after providing their own electronic account numbers.

Customer information still was visible at 6:40 p.m. PT after Buy.com said it had been fixed, but Travis Fagan, vice president of customer support, said it takes some time for the repair to spread across the Buy.com system.

The information was "useless," said Wright, characterizing it as no different from what a person could see looking at a box of outgoing mail in the office.

But there are some differences from what a person could find in an ordinary mailbox.

For one thing, the information revealed who exactly purchased from Buy.com, which sells computer hardware and software, consumer electronics, sports equipment, music and other products. In addition, the information was available online, making it possible to create a program that would collect the information automatically.