eBay's Form 10-K Annual Report, filed with the United States Securities and Exchange Commission on February 28, 2007 stated that eBay had 222 million registered users as of December 31, 2006, yet it was recently reported that 23% (51,060,000) of those registered users have not accessed their accounts in a year or more. However, another source reported in January 2007 that only 79.8 million registered users are active, intimating that 142.2 million or 64% of the registered accounts are dormant.
Yet, eBay could do many things to secure these accounts. Somewhere between 23 and 64% of the registered accounts have not been accessed in a year or more, and if the hackers can find out the passwords on these dormant accounts, it means that there will be millions if not billions of fraudulent listings available to entice innocent buyers with.
eBay must think that it is immune to having its servers breached. Shouldn't the breach of 45.7 million credit and debit card records that occurred at TJX Companies serve as a wake up call to eBay?
Although pleas have been made by members of the eBay community to secure dormant accounts, eBay remains steadfast and does nothing. It has been suggested on this blog and on eBay community message boards that eBay secure any account that has been inactive for 30 days or more to cut off the potential large inventory that hackers might gain access to.
eBay management continues to state that thieves can only gain access to accounts due to its members irresponsibly giving away their IDs and passwords by responding to spoof and phish email messages and clicking on redirected links in eBay listings.
eBay could take a proactive stance and put any account not accessed in 30 days into abeyance. If members wanted to reactivate their accounts, all that would be required would be for a member to answer the secret question that was created when the member initially registered and to change the password.
Conversely, eBay could send out email messages to each member that has not accessed his account and suggest that because of inactivity the member permanently close his account by submitting the appropriate webform. If a member chooses not to close his account after receiving the inactivity message, at least he has been informed. eBay could also sends these messages out on each member's anniversary date.
Secondly, if any email message that eBay sends out bounces back (because of bad contact information) eBay should automatically suspend the account.
Thirdly, eBay should require each member to change his password at least every 90 days.
By taking these simple steps, eBay would be protecting its members from being enticed by fraudulent listings posted on hijacked accounts, and would not be wasting its labor force's time securing dormant accounts that have been hacked by thieves. eBay is not only being stubborn, but being foolish. Stating that there are 222 million registered users, but not reporting how many accounts are inactive is distorting the numbers for the bean counters.
eBay will celebrate its 12th anniversary in September.