:: Deepquest ::

Electronic payment provider PayPal Inc. on Monday confirmed that a security breach at a partner site left an unknown number of e-mail addresses exposed on the Internet.

The eBay-owned company, which has been a major target for phishing attacks, said the security breach occurred at Benchmark Portal, a third-party company that handles customer-survey e-mails and exposed a “limited number of user e-mail addresses.”

Word of the data leakage first surfaced on security message boards over the weekend and pointed to an apparent bug in the software used to manage “unsubscribe” requests from PayPal users.

eWEEK.com was able to verify that certain readily available URLs could be manually manipulated to show e-mail addresses of PayPal users who recently unsubscribed from customer-service surveys.

PayPal spokeswoman Sara Bettencourt said the breach had been fixed and insisted that only a small number of users were affected. However, security experts say a malicious person with the most basic scripting tool could have exploited the bug to hijack a large list of legitimate PayPal e-mail addresses.

E-mail addresses are used to handle PayPal’s log-in process.

“We’re working directly with those users whose e-mail addresses were exposed. We’re informing them of the situation and warning them they may receive deceptive e-mails. We’re encouraging them to contact us if they receive deceptive e-mails,” PayPal’s Bettencourt said.

more from [url=http://www.eweek.com/article2/0,1759,1754013,00.asp]Eweek[/url]