Hacker infiltrates eBay admin system

Last month, you might have read about a security breach at eBay that resulted in the public disclosure of some 1,200 credit card numbers. Turns out, it was more hoax than hack: the credit card information didn't match anything that eBay had on file. This month, however, the online auction site found itself the victim of a real breach: a hacker going by the name of "Vladuz" (believed by some to be the same individual behind the earlier incident) gained access to components of an old eBay administrative system and disabled several user accounts. eBay has since removed the compromised code from its servers and assures users that it has taken the appropriate steps to ensure that a similar attack won't be successful in the future. "This fraudster found very old administrative functions that had not been deactivated several years ago when we changed the security of our internal systems," a statement from an eBay Trust and Safety representative said. "These functions were still accessible on public servers, while the rest of our functionality is now behind multiple layers of security. We immediately identified the functions that he accessed and deactivated, and we are undergoing an audit to ensure obsolete code that may still exist for other reasons is secure." The moral of the story? If you've got vestigial code on your servers, make sure it's secure.

For more on the attack:
- see this Ars Technica story