Seller Questions eBay Log In Security, Shown Other User's Data
An eBay seller is raising security concerns after strange log in glitch that showed him someone else's account information, including orders and disputes.
Not sure what to make of this...I was in Seller Hub, clicked on the "View Requests and Disputes" link on the sidebar, and then loaded into this page:
As shown in upper lefthand corner, my account is supposedly signed in, but this is clearly not my account being displayed.
- How is this happening?
- Why is this even able to be a thing?
- Is an investigation or broader oversight needed to ensure eBay can keep account information safe?
Never on my time on the internet have I been logged into an online account, and then just randomly been able to access another user's data/account. Not sure I want to continue a presence on the site if things are that unsecured.
As you can see from the screenshot, the seller's ID (gottasellemall69) is shown in the upper left under account detail, however a completely different seller ID (brakemotive76) and account specific info for that different ID is shown on the Seller Hub disputes page.
Jasmen@eBay at first didn't seem to grasp the seriousness of the security implications - suggesting it may simply be an issue with cookies/cache.
Sorry you're running into this! Everything you're explaining sounds like a cache and cookies issue. If someone else used your computer to login it may show their name on the top if you don't frequently clear those out. Do you experience this in a different browser?
However, Gottasellemall69 confirmed they do not know the other seller, who is located several thousand miles away, and they've never allowed anyone else to access an eBay account on any of their devices or from their network.
Hi Jasmen,
I am on my home desktop, nobody uses the PC except for me, and no accounts other than mine have ever been signed into on this machine.As this happened randomly, simply by clicking a link in Seller Hub, I am not sure how to exactly reproduce this issue via a different browser (and I have since gone and cleared cookies/cache/reset password, ect immediately after it happening), and I generally only use Chrome anyway.
Other community members chimed in to confirm it was not likely a cookie issue and also confirmed they have seen other reports of similar issues in the past.
I can't see how this would be a cache-and-cookies issue. You've already logged in via a Secure Socket Layer connection and you're being handed a ton of someone else's data in one swell foop. This looks a whole lot more like a retrieval error at the host end...
...In the case of Current Requests and Disputes, though, something seems to go horribly wrong, with the call returning completely different data from someone else's page, perhaps the contents of the previously returned data structure instead, or at least a failure to initialize the structure properly (to flush out the previous customer's data) before continuing.
I see others report this every now and then. Sellers say that other sellers' listings appear on their active listings page in the hub and they can't access their own listings.
I have never seen any kind of resolution other than these sellers saying things went back to normal after a little while - except one poster that said the problem persisted for days.
I think this is a major security issue. You should do everything you can to escalate this with eBay's security team
I wholeheartedly agree with that last statement - this is a major security issue that eBay needs to address ASAP.
I've tracked multiple kinds of fraud and scams on eBay and one thing many of them seem to have in common is the use of compromised/hijacked accounts.
Liz Morton ~ Founder
Liz Morton ~ Founder
Liz Morton ~ Founder
While it's impossible to say if these issues are connected, it's clear eBay has some major problems with account security running unchecked across the platform.
Have you ever logged in to eBay and been shown another unassociated user's account information? If so, I'd love to hear about it - drop a comment or contact me if you'd prefer to remain anonymous.
