scrambles to patch data breach but concerns still remain

Less than 24 hours after introducing a series of features that exposed seller data to anyone with the will to acquire it and basic scraper-scripting skills, changed the way the “Meet the seller” link functions.

In a dry and short statement issued on DNForum, Sedo’s Customer Relations Associate Monica Ibrahim said:

“As a quick FYI, our tech team has made sure to remove all personally identifiable member ID data from the Seller’s Activity Index. We apologize for the initial issue. Please note that member IDs are not present in the Seller Activity Index or on the Domain Portfolio Links (which can be deactivated if you wish as mentioned earlier)”

Prior to this statement, Sedo vehemently denied that any privacy breach had taken place while maintaining their position that the newly introduced features will benefit the sellers and buyers that use as their domain marketplace.

Indeed, Sedo programmers scrambled to change the database interfacing from using an open sequential id to a hashed (encoded) string unique for the period of time the user clicks on the “Meet the seller” link. Upon my suggestion that should offer assistance to the programming team, Donny Simonton exclaimed:

“I wish we could offer some help. As a programmer I do understand what they are trying to do. They are being lazy, been there many times. I would think they could easily change it to a md5 hash of the id + the domain or something similar. Something that can not be reversed.”

Despite the fact that these changes were quickly implemented upon my public announcement of how exposed the seller info has been, Sedo has yet to fix the way their auctions are referenced, using the same non-hashed open id. Currently, all 39,000-something completed and on-going auction pages are exposed to scraping by data miners.

Most importantly, Sedo has not changed the way the new features are utilized under a user’s profile: the user’s country location, seniority at Sedo, arbitrary ratings (zero to five stars) as a seller and a buyer and how long a particular domain has been at Sedo – all these are openly available to any logged-in user, without permitting the account holder to turn these features off.

Sedo has so far kept a low profile on the matter, but the reaction of the serious, active traders has been sharp and full of negative criticism towards the way that Sedo has decided to shove down the throat of users these new features. With offices in the UK and Germany, Sedo is challenging a series of strict laws protecting the privacy of individuals and corporations; stricter than US regulations about personal data safekeeping. Meanwhile, Sedo has stated that if a user decides to leave the Sedo selling platform and delete their user profile, their data remains with Sedo indefinitely. This has serious implications for any potential data breach in the future: user accounts contain a lot of financial and other private information and Sedo’s programming methods reveal a lax approach to security.

Keep contacting Sedo via the email and their support hotline at (617) 499 – 7200 (keypress 3) to voice your opposition to the lack of an ON/OFF switch for the newly introduced features.


  1. Impressive post, Theo.

    Good reporting!



Speak Your Mind