The security flaw directing eBay customers to malicious websites had been in the site since February, BBC reports.
Clicking on some listings transferred customers of the e-commerce site to malicious websites. eBay stated that they had removed these listings, but BBC found similar listings created by various users.
A transcript sent by user Paul Castle to eBay in February detailed the issue in a chat with eBay personnel.
"I was just browsing in Digital Cameras and came across a password-harvesting scam," wrote Castle, quoted by BBC.
Castle explained that when he clicked the link, he was immediately redirected to a site that harvests passwords. The eBay staff told him that his case was escalated to higher authorities.
The search function of the site presents results of auctions that are completed and not older than 15 days. However, a search conducted by BBC found 64 listings from the past 15 days that may have linked users to malicious sites. Each of the cases showed that cross-site scripting (XSS) was utilized to facilitate the hack.
"This is not a new type of vulnerability on sites such as eBay," a spokeswoman for the company said in a statement. The company assured that they have a security team for the site, but the hackers used tactics capable of bypassing their security systems.
Security experts criticized eBay for its handling of the issue. Although the affected listings were removed, eBay failed to solve the problem at its core. The company should have immediately removed the affected content and created measures to prevent further attacks instead of compromising the customers' accounts for months.
This is not the first time that eBay has been hit with a security breach. The company suffered from a massive security breach in May that affected 145 million customers. The cyberattack, performed by unknown hackers, happened between late February and early March. The stolen data included email addresses, encrypted passwords, mailing addresses and birth dates, among other pieces of customer information.