PayPal E-Mail Leak Brings Phishing Worries

A security breach at a third-party company leaves PayPal e-mail addresses exposed on the Internet.

Electronic payment provider PayPal Inc. on Monday confirmed that a security breach at a partner site left an unknown number of e-mail addresses exposed on the Internet.

The eBay-owned company, which has been a major target for phishing attacks, said the security breach occurred at Benchmark Portal, a third-party company that handles customer-survey e-mails and exposed a "limited number of user e-mail addresses."

Word of the data leakage first surfaced on security message boards over the weekend and pointed to an apparent bug in the software used to manage "unsubscribe" requests from PayPal users. was able to verify that certain readily available URLs could be manually manipulated to show e-mail addresses of PayPal users who recently unsubscribed from customer-service surveys.

PayPal spokeswoman Sara Bettencourt said the breach had been fixed and insisted that only a small number of users were affected. However, security experts say a malicious person with the most basic scripting tool could have exploited the bug to hijack a large list of legitimate PayPal e-mail addresses.

E-mail addresses are used to handle PayPals log-in process.

"Were working directly with those users whose e-mail addresses were exposed. Were informing them of the situation and warning them they may receive deceptive e-mails. Were encouraging them to contact us if they receive deceptive e-mails," PayPals Bettencourt said.

She said the breach did not leak any information beyond e-mail addresses. "We use high levels of encryption on our own secure servers. Passwords are never accessible to any third party."

/zimages/4/28571.gifClick here to read about PayPals apology for a spate of sporadic outages.

Jon Anton, a spokesman for Benchmark Portal, confirmed that the data leak was the result of a "malicious hacking attack" and confirmed PayPals assertion that it involved a very small number of e-mail addresses.

"We only have e-mail addresses to do customer surveys. This did not involve any personal information, passwords, credit card information or bank information," Anton told

He said the company was alerted to the breach late Saturday evening and was able to address it by Sunday.

"This was a malicious hacking attack. Someone broke into our process and was able to grab a very small number of e-mail addresses. We spotted it very early because we noticed an unusually large number of unsubscribes coming in," Anton added.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.