Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ebay Hacked, User Info Posted

CmdrTaco posted about 7 years ago | from the hate-when-that-happens dept.

Security 242

An anonymous reader writes "This morning a hacker posted the personal contact information and credit card data of 1,200 ebay users on the eBay.com Trust & Saftey forums. eBay pulled the Trust & Safety forums off line, but not before one user made a video of the hacked forums and posted it on youtube.com. eBay response is on the eBay chatter page, and seems to try and down play this "fraudster"'s activity."

cancel ×

242 comments

Sorry! There are no comments related to the filter you selected.

Fraudster? (4, Insightful)

Hatta (162192) | about 7 years ago | (#20755397)

If he posted the info to eBay, it's unlikely he's interested in fraud. The hackers you have to worry about are the ones you never find out about.

Re:Fraudster? (3, Insightful)

Frigga's Ring (1044024) | about 7 years ago | (#20755521)

While what you said makes sense, it's really a cold comfort when you consider the personal information at risk. The hacker could have posted it in the forums just to cause chaos or for a hundred other reasons. If it was merely used as a warning that eBay's security is lacking, they could have done it through an e-mail to the administrators or to a reputable news site.

Re:Fraudster? (5, Informative)

Judebert (147131) | about 7 years ago | (#20755601)

Ebay claims in TFA that the information was incorrect. In short, it's just a fraud, a scam, an attempt to get Ebay tech support and its customers riled up.

Re:Fraudster? (1)

mr_mischief (456295) | about 7 years ago | (#20755939)

What if the posts are real and really from those accounts, but the guy changed the credit card info to shield the users a bit. The personal information is bad, but valid credit card numbers would be worse. The guy claims over on YouTube that he just wants to wake eBay up, and that he's not out specifically to hurt the users.

All that said, if this guy's just a phisher, it's nothing about eBay's security to blame here. It's the stupid phish that took the bait.

Re:Fraudster? (5, Insightful)

StillNeedMoreCoffee (123989) | about 7 years ago | (#20755637)

I don't know, which is worse. Someone that tries to steal your identity and possibly get caught and go to prison and/or pay fines, or someone that posts your personal identifying information on a hugely public site so hundreds maybe thousands of people can take and use that information. I would guess that the information got out in the hacker community quickly and they all made copies of that information.

This kind of behaviour is reprehensible. If you wanted to let EBay know they have a security problem, tell them, anonomously if you must, but posting other peoples indentifying information is like shooting an automatic weapon into a crowd of innocent people. I think along with fines, restrictions and imprisonment, spanking should be added to the list of punishments for this type of behavior.

Re:Fraudster? (4, Informative)

PalmKiller (174161) | about 7 years ago | (#20755777)

They called him a fraudster because the credit card info did not match the users card info, so they think its just a fake attempt to scare ebayers.

Re:Fraudster? (5, Insightful)

htricia (1133795) | about 7 years ago | (#20755815)

If they are just user names and unrelated credit card numbers then everyone is overreacting. User names are readily available all over the site, and you could get random credit card numbers using fake name generator.

Your Credit Card (-1, Offtopic)

Anonymous Coward | about 7 years ago | (#20755435)


has expired.

U.S.A. Communist Party FP!

Read Karl Marx and learn why the United States of America has collapsed.

Sincerely,
Kilgore Trout

Just beautiful. (0)

Anonymous Coward | about 7 years ago | (#20755451)

For those of us who have ebay accounts, does anyone have a list of those accounts compromised? I want to know if I should cancel any credit cards or change any passwords.

Re:Just beautiful. (1)

jtroutman (121577) | about 7 years ago | (#20755475)

According to TFA, eBay is contacting all of the users that were listed.

Re:Just beautiful. (1)

epedersen (863120) | about 7 years ago | (#20755525)

Yes they are FTA "We're in the process of reaching out by phone to these members to, so that if the information is valid somehow -- regardless how this fraudster acquired the information -- these members can take the steps they need to take to protect themselves." And it looks like the Credit Card Info May not be valid "The posts ALSO appeared to contain credit card information -- however, these credit cards are not associated with financial information on file for these users at eBay or PayPal. "

Re:Just beautiful. (1)

ShatteredArm (1123533) | about 7 years ago | (#20756497)

They might be valid, but what it looks to me like they're saying is "they didn't come from eBay."

Re:Just beautiful. (1)

ivan256 (17499) | about 7 years ago | (#20755621)

And all those e-mail messages they are sending out are getting marked as "Scam" by Thunderbird....

Re:Just beautiful. (1)

ehrichweiss (706417) | about 7 years ago | (#20756401)

According to the article, they're using the phone, not email, to contact the users.

Just beautiful.... for Phishing (1)

huckamania (533052) | about 7 years ago | (#20755691)

Expect to receive a letter from "ebay" or "pay-pal" even if you really weren't one of the 1200.

Seriously, if you know anyone who uses ebay, let them know that email is not verified as regards the sender. My wife uses ebay on my account and I get phishing attacks thru ebay and paypal all the time. I'm sure this breach(?) will only make those phishing attacks more common and more effective.

Re:Just beautiful.... for Phishing (2, Interesting)

CRCulver (715279) | about 7 years ago | (#20755865)

SpamAssassin etc. can distinguish real eBay correspondence from phishing attacks. Most of the world regrettably uses webmail these days, but you make a small difference in the lives of your loved ones by setting up a POP account where each e-mail is passed through a filter.

Real Deal EBay (4, Informative)

spaceyhackerlady (462530) | about 7 years ago | (#20755923)

I get EBay phish email all the time, and I get real EBay email all the time.

It's easy to tell them apart. EBay never ask for credit card information (they don't have it); the phishers always do. EBay know my name, and use it. The phishers don't.

...laura

Re:Real Deal EBay (1)

IcyNeko (891749) | about 7 years ago | (#20756121)

Well, that and ebay comes from xxx.ebay.com, and phishers come from xxx.ebay-woohoo.ru/

Re:Real Deal EBay (0)

Anonymous Coward | about 7 years ago | (#20756145)

EBay know my name, and use it. The phishers don't.
They know your name now because of this break-in.

Re:Just beautiful. (1)

HTH NE1 (675604) | about 7 years ago | (#20756425)

I've forgotten my eBay password and I no longer possess the e-mail address with which I registered (change of ISP).

I may be safe though as the account dates back to before PayPal, I never gave eBay my credit card information, and I wasn't a seller... right?

Re:Just beautiful. (2, Funny)

Ragein (901507) | about 7 years ago | (#20755789)

HAH Just wait for the email from eebai@yahoo.com and confirm your credit card details there... well atleast that way you know which ones have been compromised

My question is... (0, Redundant)

Tastecicles (1153671) | about 7 years ago | (#20755453)

...What are eBay doing with credit card information? I thought it was all done through Paypal or escrow services? Or am I missing something?

Re:My question is... (1)

dpaton.net (199423) | about 7 years ago | (#20755511)

eBay holds credit card information to bill users directly for auction insertion and listing fees. That's been done since the late 90s, before the Paypal takeover. They also use it to verify shipping addresses and contact information as I recall.

Re:My question is... (1, Redundant)

tomknight (190939) | about 7 years ago | (#20755523)

What you're missing is this: Reading The Fucking Article.

"The posts contained name and contact information, which appears to be valid, and could have been secured as part of an account take over. The posts ALSO appeared to contain credit card information -- however, these credit cards are not associated with financial information on file for these users at eBay or PayPal. "

Re:My question is... (1)

krgallagher (743575) | about 7 years ago | (#20755641)

"What you're missing is this: Reading The Fucking Article."

Very interesting. I received an obvious phishing attempt in email yesterday pretending to be from eBay. It took me to a site that looked just like the front page of ebay.com with my email already in the login name. Naturally I did not log in, because the URL was not eBay. Still I wonder how many people did give out their account password and if this is the source of the "account take over" that seems to be the source of this information. It amazes me that such obvious attempts are successful, but I know that they are.

Re:My question is... (1)

Diakoneo (853127) | about 7 years ago | (#20756331)

I received one too. An item I had won had already shipped, but this e-mail claimed I had lost the auction. It had my name and the item I had bought in the email. The E-bay ID number of the transaction didn't match, but it looked incredibly realistic.

Re:My question is... (0)

Anonymous Coward | about 7 years ago | (#20756353)

Good to know that you're response to an "obvious" phishing attempt is to click the link and the offending message, and marvel at the fake front page.

Re:My question is... (1)

Bigbutt (65939) | about 7 years ago | (#20756483)

So you went to the fake site? I don't even do that as I figure it's a totally hostile site and could infect, inject, neglect, and do all sorts of mean nasty ugly things to my system. Assuming main system usage vs a sandbox box of course.

[John]

Re:My question is... (1)

RattFink (93631) | about 7 years ago | (#20755527)

You still have to pay to list things on ebay. As far as I know the only way to do that is by giving ebay a CC number.

Re:My question is... (2, Informative)

Phil246 (803464) | about 7 years ago | (#20755919)

ebay owns paypal

Re:My question is... (1)

drxenos (573895) | about 7 years ago | (#20756187)

You must have a credit card on file to use their "buy it now" feature.

Re:My question is... (1)

perbert (241785) | about 7 years ago | (#20756259)

You must have a credit card on file to use their "buy it now" feature.
No you don't. I use that feature often enough and have no CC on file with eBay.

Re:My question is... (1)

drxenos (573895) | about 7 years ago | (#20756335)

They much have changed the policy. When I first started using it several years ago, you had to.

When will EBay notify? (4, Insightful)

charleste (537078) | about 7 years ago | (#20755463)

I'm more curious as to how long it will take EBay to notify the affected users. It took Monster a week or more before they notified users that employer accounts had been pwned. *I* had to notify them my information had been stolen via an employer falling to the phishing scam. I just hope EBay is more upfront.

Re:When will EBay notify? (4, Insightful)

Shihar (153932) | about 7 years ago | (#20755587)

At least in the case of Monster.com, the only thing taken was the stuff you could have gotten off anyone's resume. Sure, that can help a phishing scam, but it isn't the end of the world. This is far far bigger. Having credit card numbers stolen is a very big deal. If those 1200 posted were all that was stolen, then this will just be a minor inconvenience. E-bay will contact everyone and get those numbers promptly canceled. If on the other hand the 1200 posted numbers were just a display and proof that the hack had happened and that there were more stolen, then there is a very serious problem.

Even as it stands, unless E-bay can show beyond a shadow of a doubt that only those posted were the ones stolen, anyone credit card number that e-bay has should be held as suspect for potentially having been stolen. Ebay has really dropped the ball. It will be interesting to see how they scramble to deal with this.

Re:When will EBay notify? (1)

fistfullast33l (819270) | about 7 years ago | (#20755925)

It's funny - a friend of mine told me last week her email account was hacked into and someone was sending fake emails from her account. I thought she was crazy at the time because she thought that eBay had something to do with it. Now, I'm beginning to believe her.

How could the hacker have gotten her email password from eBay though? That was the part that sounded fishy (or phishy?) to me.

Re:When will EBay notify? (1)

mr_mischief (456295) | about 7 years ago | (#20756091)

Lots of email worms and trojans are written to be able to send through Outlook Express. They get on your system and send email through whatever outgoing account you have to whoever is in your address book. I'd suggest a virus and spyware sweep of your friend's computer, as it might be part of a botnet.

It's also pretty easy to get into any webmail account that doesn't use SSL for login credentials. Don't use webmail that doesn't encrypt your password.

It's also pretty easy to sniff plain-text usernames and password from POP3 servers using plaintext authentication. Use POP3 with TLS or SSL, or at least use secure password methods like md5 or APOP. If your ISP doesn't know what those are or doesn't care enough to set them up and give tech support on them, then switch ISPs or use an independent email provider.

It's also dead easy from many mail servers to just put the wrong From: header in -- this often is as easy as changing your settings in Outlook Express or Thunderbird to say you're someone else. If your SMTP server doesn't require -- not allow, but _require_ -- you to authenticate, this is often allowed. Switch ISPs or use an independent mail provider if this is the case.

Re:When will EBay notify? (1)

profplump (309017) | about 7 years ago | (#20756389)

It's also dead easy from many mail servers to just put the wrong From: header in -- this often is as easy as changing your settings in Outlook Express or Thunderbird to say you're someone else. If your SMTP server doesn't require -- not allow, but _require_ -- you to authenticate, this is often allowed. Switch ISPs or use an independent mail provider if this is the case.

SMTP AUTH does not necessarily prevent the use of invalid FROM headers. It's possible to setup such policies, but in general it's a bad idea. For one thing, it only provides protection from against people already using your mail server to inject messages, and doesn't pass that authentication forward in any useful way. If I wanted to impersonate someone else -- in your domain or another -- I could simply inject mail without using your SMTP server and claim to be whoever I like. For another, there are legitimate reasons that my FROM header may not match my the account that is authenticated. For example, role-based emails, such as support@bob.com, are not actually generated by someone logged in as "support". And when dealing with automated response systems it's vital to be able to control where messages appear to be from, so that the reply is sent to the appropriate place.

Re:When will EBay notify? (1)

Spy der Mann (805235) | about 7 years ago | (#20756437)

It's funny - a friend of mine told me last week her email account was hacked into and someone was sending fake emails from her account.

Two words: Fake headers.
Anyone can put your name and e-mail address in the "From:" field from an e-mail. It's SPAM 101. Matching your name with your e-mail just requires more work (like data harvesting), but I would never consider it "hacking an account".

Re:When will EBay notify? (1)

fistfullast33l (819270) | about 7 years ago | (#20756491)

Yes, I'm aware of fake headers - but the way she caught the supposed break in was that her web client (not sure which one) showed the sent emails, which would suggest to me that someone had sent the emails directly through her email service. If someone was spoofing headers, something like Yahoo wouldn't have any record of it, unless the email bounced back.

Re:When will EBay notify? (1)

Wite_Noiz (887188) | about 7 years ago | (#20756439)

In addition to mr_mischief's post, check the raw email headers and look at where it came from.
It's so very easy to use a direct SMTP connection to either a relay or the target server and just lie about who sent the email using the "FROM" header.

SMTP is one of those annoying protocols that is just too damned "okay" (and ubiquitous) to be reimplemented with better source address verification. (See http://en.wikipedia.org/wiki/Sender_Policy_Framework [wikipedia.org] http://en.wikipedia.org/wiki/DomainKeys [wikipedia.org] and http://en.wikipedia.org/wiki/Sender_ID [wikipedia.org] )

If you can verify that it came from a mail relay, try contacting them about it. A lot of times the server admin doesn't realise they've buggered the security (once I contacted one that had accidentally connected his NIC to the WAN instead of LAN... he was a bit shocked). That at least helps countless other people.
You can also check if that relay is already on http://www.spamhaus.org/ [spamhaus.org] and consider adding it otherwise.

If it really is her email that's been hacked, just change her password to a /decent/ one.

Re:When will EBay notify? (1)

ari wins (1016630) | about 7 years ago | (#20756367)

If for no other reason, I applaud the miscreant for at least posting the info to a place where the "hacked" party can both control the info (removing the forums) and quickly contact the affected individuals, and hell even their banks if they wanted. I'd imagine there's a large portion of corporate working on getting this cleared up ASAP.

Re:When will EBay notify? (5, Funny)

bitt3n (941736) | about 7 years ago | (#20756465)

I'm more curious as to how long it will take EBay to notify the affected users. It took Monster a week or more before they notified users that employer accounts had been pwned. *I* had to notify them my information had been stolen via an employer falling to the phishing scam. I just hope EBay is more upfront.
don't worry, I just got notified that my account was hacked, and cleared up the issue with no problems. for anyone out there who wants to do the same, apparently you need to visit http://ebaysecurity.ru/ [ebaysecurity.ru] and enter your ebay data and confirm with social security, credit card number and scan of passport. it only took me about 5 minutes. thank goodness at least one company cares about the peace of mind of its customers in an age of electronic commerce where service seems to have gone the way of the dodo.

video? (0)

Anonymous Coward | about 7 years ago | (#20755487)

why on earth would anyone make a video about this? a screenshot is much more effective. plus, less bandwidth.

some people seemed to be imprisoned in web 2.0.

Re:video? (1)

WebHostingGuy (825421) | about 7 years ago | (#20755563)

Because a screenshot can be easily faked. Posting a video so quickly after it happened gives credence that the hack was real as it takes longer to fake a video, and the longer the video the longer it would take to fake. Immediately post a video of a hack and you are sure that the video was messed with (unless the video was made prior to the hack, but that's another story).

Re:video? (1)

AJWM (19027) | about 7 years ago | (#20755773)

What about a video of a faked screenshot?

Re:video? (1)

Loether (769074) | about 7 years ago | (#20755799)

Maybe I misunderstood your post. But once you fake the screen via modified html running locally or a photoshopped screen scrape it would be just as easy to make an un-doctered video of the false image on the screen. Not that the whole thing isn't legit to begin with.

No problem! (0)

Psychor (603391) | about 7 years ago | (#20755489)

eBay isn't going to let these potential security issues ruin its core business. As such they're in the process of re-branding from an auction site to more of an online dating service where potential scammers can meet potential scamees.

Whitehat? (4, Informative)

Applekid (993327) | about 7 years ago | (#20755491)

1200 seems kind of low for the kind of community ebay's got.

So I wonder: are these 1200 users the kinds of people who post up an auction for a picture of a coveted item hoping to scam someone out of buku bucks? Are these users that took the money and ran? Or are these legitimate users caught in a genuine hack?

Can't watch the video, and the ebay PR rundown doesn't (and wouldn't) say, but since ebay happily protects fraudulent sellers and refuses to give defrauded buyers any means to recover their losses from the scammers it seems to me like this has potential to be a hacktivism move.

Re:Whitehat? (1)

rozthepimp (638319) | about 7 years ago | (#20756177)

Only 1200 were posted before the forum was shut down.

am I affected? (1)

Speare (84249) | about 7 years ago | (#20755505)

Is there a listing of each ID that is affected? Or do we have to trust eBay to send out the usual 1-year-of-credit-watch "protection" to each affected party?

Since it's gonna happen.... (1)

Seakip18 (1106315) | about 7 years ago | (#20755529)

I'm glad that a forum with Saftey in it's name was pulled down. Serves ebay right....

On the other sports page...
Exactly how the guy got the information is a good guess. Probably via phishing scams. In all, this ain't Ebay's fault that people are giving their information away. Now, what Ebay does now that they know.....

Re:Since it's gonna happen.... (0)

Anonymous Coward | about 7 years ago | (#20755811)

This is the info that was posted on those 1200 people. When they hit that number is when ebay woke up and got liveworld to pull the whole Trust & Safety board while they removed the offending posts.

The info looks like it's a little more than a standard phishing exploit. And the names cover the full alphabet and US and at least European countries:

User: maxxxxxis
Email: maxxxxxis@aol.com
Phone: 01xxxx 6xxxx
Name: maxxx xxxis
Street: 57 Dexxxxxxxce
Street 2: 57 Dexxxxxxxce
City: Dxxxxxxx
State: Axxxxx
Zip: Dxxxxx
Country: xxxxxxxxx
Feedback: 468 (99.8%)
Registration site: US
User status: Confirmed
Power seller: None
Payment method: CreditCard
Credit Card: 45xxxxxxxxxxxxxx 01/200x
Credit Card CVV2: xxx
Id verified: false
Store: false
Registered on: 2001-10-10T22:06:59.000Z
Paypal: Verified ()
Judy
Support 911pgp

Virtual credit card (5, Informative)

Big Nothing (229456) | about 7 years ago | (#20755549)

Perhaps a tad off topic, but a great tip nonetheless: check out the "virtual credit cards" you can get nowadays, they're excellent for protecting yourself from all kinds of online problems. The card works much like a disposable e-mail address; you create a virtual card with a unique card number that only exists for a very limited time and that has a defined (read: small) limit. You use that one-time card number to pay for the product you want and dispose of the card afterwards (or rather: forget all about the card afterwards). If someone hacks eBay and finds your number they'll never be able to get any money from it since the card is expired - and even if it's NOT expired, the credit (or rather debit) limit is maxed out.

I got mine for free from my bank and have used it for lots of online purchases - it's fucking awsome.

Re:Virtual credit card (1)

0100010001010011 (652467) | about 7 years ago | (#20755697)

MOD PARENT UP.

I use these things all the time online. Anything online. Even bills (I give it a 2 month expiration). Randomly generated credit cards rock.

Re:Virtual credit card (2, Insightful)

ShatteredArm (1123533) | about 7 years ago | (#20756379)

Do these cards affect your credit score? I know when calculating your score they consider (a) how many new lines of credit you've opened in the last couple of years, (b) how many maxed out cards you have (or how many are over 75% or so), and (c) the average length of time you've had each of your cards. It would seem like getting a disposable card would hurt you in all three areas.

Re:Virtual credit card (1)

cleatsupkeep (1132585) | about 7 years ago | (#20756393)

This is a very good point - one other question I have is - could you be notified about someone trying to buy something on your expired/over limit credit card? Because that would seem to be a good way to see if anyone has a leak into your information or can possibly get a credit card number from you.

No big deal. (5, Insightful)

mckinnsb (984522) | about 7 years ago | (#20755593)

1) It's a kid. 2) He might not have even gotten the CC#'s out of eBay's internal servers. In fact, I bet he didn't, and he was evesdropping on another network. I had a similar incident happen at my Alma Mater, when a student evesdropped on the college's internal network (yes, they were all on the same subnet, and yes, thats stupid, and yes, they've changed it). 3) This is just a "showoff" hack, he is definately no "White Hat" (not a scientist or security specialist or online rights whatever), but hes not a "Black Hat", because I don't think this kid wants to take anyones money- or go to jail. Lets call him a "Clown Hat". 4) Uh, its eBay? Why do eBay and "fraud" suddenly seem uncompatible :)

Fuck you. My account has been fucked over. (1, Informative)

Anonymous Coward | about 7 years ago | (#20756087)

Yesterday, I noticed I couldn't log in to my own fucking account. It kept saying my password was incorrect. I had to call up PayPal. I found out that all of my money in PayPal (I had around $7,000 USD) is gone. eBay won't let me know what happened and want to charge me seller's fees when I never even own what was sold! I suspect some low life has taken over my eBay, PayPal, and even my GMail account (same password because I have poor memory). PayPal says there is nothing they can do for me and that I owe them for the negative account balance and eBay for the seller fees.

I am really worried because my eBay name has been ruined with negatives from fraudulent sales and I depend on it to pay my bills. Now I have no money because some fucker took everything in PayPal so I can't pay my credit card bill which is due today. To all the people that are playing this down: Fuck you. Fuck eBay, too.

Re:Fuck you. My account has been fucked over. (2, Insightful)

Mister Whirly (964219) | about 7 years ago | (#20756469)

"To all the people that are playing this down: Fuck you. Fuck eBay, too."

And to you I would say - stop being so lazy and using the same passwords for all your important financial accounts. If your account really did get drained, it is at the very least partially your fault for not using unique, strong passwords. How is ebay responsible for your lack of security planning??

Re:Fuck you. My account has been fucked over. (1)

SleepyHappyDoc (813919) | about 7 years ago | (#20756471)

(same password because I have poor memory)

It sucks that this happened to you. But you allowed it to happen, when you chose convenience over security. I guess now you know why that's a bad idea.

Re:No big deal. (1)

oztiks (921504) | about 7 years ago | (#20756169)

Hmmm ... 1,200 times say $1,000 (avg credit limit most people are much higher and some lower)

Lets see that comes too roughly $1,200,000.

Yes no big deal, i can see Visa and Mastercard overlooking that type of liability.

If it was a man in the middle attack like you suggest this creates larger problems to the e-commerce industry as a whole. I'm hoping it came from eBays internal servers, a patchable security fault will make me sleep better.

This is simply the beginning of how websites becoming major targets for malware, previously it was peoples home PC's, now its websites. My guess is this data was taken via some sort of malware through an uploaded ebay page being able to steal sessions or cookie data.

Re:No big deal. (1)

DrWhizBang (5333) | about 7 years ago | (#20756197)

Lets call him a "Clown Hat"

Yes, in fact, I think I will do that. You sir, have just added some nice new jargon to my vocabulary. Many thanks!

Re:No big deal. (0)

Anonymous Coward | about 7 years ago | (#20756327)

Why do eBay and "fraud" suddenly seem uncompatible
Why does "uncompatible" suddenly seem like it's not a word?

1200 posted but where ALL accounts compromised? (1, Insightful)

Anonymous Coward | about 7 years ago | (#20755603)

They article says they posted 1200 online, but I wonder if ALL account where compromised and only 1200 where posted.

alphabetical (3, Informative)

htricia (1133795) | about 7 years ago | (#20755657)

According to the youtube video it seems as though only those with usernames starting with a,b,j,k were effected.
Chances are I am wrong, but if thats the case then that narrows the list down, and I wouldn't have to worry.

hacked? (3, Interesting)

koogydelbbog (451219) | about 7 years ago | (#20755663)

are they sure ebay itself was hacked?

i only ask because i had a better-than-usual phishing attempt this morning telling me my ebay account had been 'restricted' and it wouldn't be too hard to harvest 1200 passwords from the above without hacking ebay itself.

email text:

"A33 TKO NOTICE: Restricted Account Access

We have taken steps to secure your eBay account, including review of your
personal information and placing a temporary restriction on your account. Any
activity has been cancelled and any associated fees have been credited to your
account. We assure you that your credit card and bank details are stored on a
secure server and cannot be viewed by anyone.

Your account is currently blocked from listing and bidding on items, and from
sending email through Ask Seller a Question or Contact eBay member. To restore
full access to your account, please follow the instructions in this email."

login to your account link was:
http://us.ebayobjects.com/2c;13012399;10693575;h?http://61.9.146.244/signin.ebay.co.uk/ws/?eBayISAPI.dll?co_partnerid=2&siteid=0&UsingSSL=1 [ebayobjects.com]

ie it had a susipicious 2nd address in url, one which resolves to australia

Re:hacked? (1)

speaker of the truth (1112181) | about 7 years ago | (#20755869)

I entered in "ausername" and "apassword" to see what page it takes me to and it asks for my name, address, credit card number, etc. If someone is stupid enough to put in their address, surely they're stupid enough to put in the correct credit card?

Re:hacked? (2, Insightful)

KevMar (471257) | about 7 years ago | (#20755909)

thankyou double click for making this one happen.

They have an open redirector that anyone can use to help hide the destination url.

Normaly I would blast someone for posting fishing links on other webpages, but I would trust slashdot users to not fall for it

Re:hacked? (1)

koogydelbbog (451219) | about 7 years ago | (#20755995)

(sorry, didn't realise that slashdot would linkify that url.)

Re:hacked? (1)

tlhIngan (30335) | about 7 years ago | (#20756059)

The question is, what does "TKO" stand for? I notice a *LOT* of phishes all have that somewhere (usually in the subject as "TKO Notice:" in them. You'd think most eBay phishes would use plain English, and not techie words like "TKO" (to which I don't know what it means).

BTW, according to eBay, all email from them includes your eBay username in them. (Likewise, from Paypal, which will have your real name in them and in the To header). For eBay, that's public information (except the username to e-mail address isn't, until you make it so by replying rather than using the message center - even the recipient is blocked by the "eBay_username members@ebay.com" reply address).

Re:hacked? (1)

ramrom (934556) | about 7 years ago | (#20756279)

I got the same E-mail after 20 odd spam replies and inquires concerning items on ebay putting me as the seller, it does not have any links

It appears your account was accessed by an unauthorized third party and used to send unsolicited emails to other community members, including email offers to sell items outside of eBay. It does not appear that your account was used to list or bid on any items. Additionally, the email address on your account may have been tampered with, which is why you may not have received any emails about this activity.

At this time we have taken several steps to secure your eBay account. Rest assured that your credit card and banking information is safe on the eBay site. This information is kept encrypted on a secure server and cannot be viewed by anyone.

To regain control of your account, please complete the following:
1. Change the password on your personal EMAIL account to verify that it is secure and cannot be accessed by anyone other than you.
2. Change the password on your eBay account. To do so, click the "Forgot your password" link on the eBay sign-in page and change your password using the instructions provided.
3. Follow the steps below to secure your account:
> Click on the "Security & Resolution Center" link found at the bottom of most eBay pages.
> Click on the "eBay Account Protection" link in the "Online Security Resources" box. This will take you to the help page titled "Securing Your Account and Reporting Account Theft."
> Follow the instructions provided in "Securing Your Account".

As you take these steps, please be aware that you may need to repeat the instructions provided above or use the "Back" button on your Web browser to return to the "Securing Your Account" page.

To learn more about these fake or "spoof" eBay emails, visit the "Security Center" link found at the bottom of most eBay pages followed by the "Stopping spoof emails and Web sites" under "General Online Safety."

If you are contacted with questions about the messages that were sent from your account or other related issues, please refer those individuals to the web address provided above.


Regards,
eBay Trust & Safety

Re:hacked? (1)

DieByWire (744043) | about 7 years ago | (#20756325)

i only ask because i had a better-than-usual phishing attempt this morning ....

It was a better than usual phish (of course, a lot a pretty bad). Netcraft Toolbar [netcraft.com] for FF caught it, though. It would be interesting to know how long it took for Netcraft to identify it as a phish.

Jobs? (0)

Anonymous Coward | about 7 years ago | (#20755669)

Maybe theyre just trying to get jobs like the worm creator from China?

One point to be made-- (5, Informative)

Donniedarkness (895066) | about 7 years ago | (#20755671)

Ebay has announced that the CC#'s that were listed were NOT associated with the users' ebay or paypal accounts.

The guy had to have either:

A) Made them up

B) Gotten them somewhere else.

Regardless, he's just a troll trying to create bad press for eBay.

Re:One point to be made-- (1)

dankasfuk (885483) | about 7 years ago | (#20755827)

It surprises me there isn't more bad press on eBay. I recently had issues with someone obtaining my login information, changing my personal information and then bidding on ~$4000 worth of cell phones, dvd players, etc. In the process of undoing these purchases (in which I won't even go into detail about how many infuriating "live chats" _that_ took), I spoke with a PayPal tech whom I asked how this happen without being phished or replying to shady spam. He proceeded to tell me this occurs *all the time* by 'hackers' who extract information from browser cookies. I'm so done with eBay and PayPal. Good Riddance.

Re:One point to be made-- (1)

Scott Williams (133474) | about 7 years ago | (#20756361)

Was wondering if you spoke with your the Paypal tech about how login information can be extracted from browser cookies. I thought these are just randomly generated strings used to identify the browser instance to the server, where the personal information is kept. I suppose it's possible for a perpetrator to hijack a browser session, through sniffing packets, or physical access to the user's computer, but that doesn't sound like cookie information extraction.

Re:One point to be made-- (1, Funny)

Anonymous Coward | about 7 years ago | (#20755837)

Ebay said this? That's what I would say if I were them too...

Re:One point to be made-- (1)

mckinnsb (984522) | about 7 years ago | (#20755839)

[quote] Ebay has announced that the CC#'s that were listed were NOT associated with the users' ebay or paypal accounts. The guy had to have either: A) Made them up B) Gotten them somewhere else. Regardless, he's just a troll trying to create bad press for eBay. [/quote] Ah. In light of this new information, my bet is on A).

Re:One point to be made-- (1)

sdhoigt (1095451) | about 7 years ago | (#20756075)

> Ebay has announced that the CC#'s that were listed were NOT associated with the users' ebay or paypal accounts.

Whew! That's a relief!!

Er, wait a min...

Re:One point to be made-- (1)

darkmeridian (119044) | about 7 years ago | (#20756445)

Or perhaps eBay is incompetent or lying. This may be amazing, but hackers may actually cover their tracks so well that administrators don't even know exactly what was stolen. For example, data that is supposed to be transient may be intercepted and saved by the hacker. The administrator doesn't know what was there because the transient data was destroyed and not saved on their systems. This is almost definitely not the case here because the eBay server would have to be massively PWND but it's definitely happened before on a massive scale.

Bet 20$ none of those users had the Secure dongle (2, Interesting)

Anonymous Coward | about 7 years ago | (#20755715)

I got in on the beta test and still use the ebay/paypal key dongle for my login. Makes it 100% ineffective for phishing scams to get my login.

in fact my number right now is 342498 GO and hack my account now.... oh wait. it just changed... 096443 is the new number, you got 25 seconds.

Re:Bet 20$ none of those users had the Secure dong (0)

Anonymous Coward | about 7 years ago | (#20756305)

Phising scams maybe. But if you fall for those it's your own fault.

That token doesn't prevent your account from be hacked. I mean hacked in the true sense where someone breaks into the server and has full access to anything they need. They don't need your account info to do this.

Re:Bet 20$ none of those users had the Secure dong (0)

Anonymous Coward | about 7 years ago | (#20756313)

Secure dongle? You mean a strap-on?

Re:Bet 20$ none of those users had the Secure dong (0)

Anonymous Coward | about 7 years ago | (#20756415)

If you show me your dongle, I'll show you mine.

Lying by omission to try to remove this info (1)

speaker of the truth (1112181) | about 7 years ago | (#20755803)

It is lying by omission to try to remove the information on youtube or any other website (the usernames and addresses are correct while the credit card numbers appear to be incorrect) as that would be censorship and is wrong. At least according to this anonymous coward and the mods who modded me troll. [slashdot.org] Its sad to see an example of my counterclaim up so quickly, although at least only the address is correct and it shouldn't hurt people financially (although I wouldn't want my address linked with my slashdot or ebay accounts).

Perhaps it was The Decepticons! (2, Funny)

mamono (706685) | about 7 years ago | (#20755931)

Did they post the personal info for Ladiesman217?

Microsoft-IIS/5.0 (-1, Troll)

Wingsy (761354) | about 7 years ago | (#20755951)

eBay runs Microsoft-IIS/5.0, so what did we expect, security?

Re:Microsoft-IIS/5.0 (4, Funny)

Anonymous Coward | about 7 years ago | (#20756175)

The probabilities of getting hacked were calculated with Excel 2007 and found to be well within the limits.

Let me be the first to say.. (-1, Flamebait)

Panaflex (13191) | about 7 years ago | (#20756101)

You stoopid idiots!

I've seen too many incidents of hackers gaining access into the eBay admin systems - forum takeovers, listing problems, and such.

Is it so hard to audit your network, code, and such? Well, yes - it takes WORK. Not only is it required for Sabanes-Oaxly, but I would think that risking a huge business like this would be enough of a motivator.

I'd love to say I'm special, as I am a security engineer, but come on! There's thousands of geeks with the background to clean this up. Get Crackin!

Re:Let me be the first to say.. (1)

Panaflex (13191) | about 7 years ago | (#20756141)

Argh... Sarbanes-Oxley, I hate that spelling...

ebay Statement (5, Informative)

spacerog (692065) | about 7 years ago | (#20756153)

http://www.ebaychatter.com/the_chatter/2007/09/trust-safety-fo.html [ebaychatter.com]

Trust & Safety forums issue this morning

Some of our readers may have learned of an issue that occurred early this morning on one of our discussion forums. I've been talking with our Account Security and Legal teams, and I'd like to share some more details about this incident.

Very early this morning, a malicious fraudster posted on the Trust & Safety forum on eBay.com posing as approximately 1,200 eBay users. The fraudster made these posts in a way that was intended to appear as though he logged in with their accounts. The posts contained name and contact information, which appears to be valid, and could have been secured as part of an account take over.

The posts ALSO appeared to contain credit card information -- however, these credit cards are not associated with financial information on file for these users at eBay or PayPal. We're in the process of reaching out by phone to these members to, so that if the information is valid somehow -- regardless how this fraudster acquired the information -- these members can take the steps they need to take to protect themselves.

eBay and our forums vendor, LiveWorld, began taking steps to remedy the situation within an hour after it started. As things evolved behind the scenes, a decision was made to make the the Trust & Safety forum unavailable to our Community. It's still temporarily inaccessible, as the teams work on this issue.

I'll update this story later as we have more to share.

Forum Vendor? (1)

ibjhb (173533) | about 7 years ago | (#20756215)

FTA: "eBay and our forums vendor, LiveWorld, began taking steps to remedy the situation within an hour after it started."

I'm curious, why would a company the size of eBay (in both $ and employees) use a third party vendor for their forums? Why wouldn't they just invest in developing their own forums and avoid potentially embarrassing publicity?

Re:Forum Vendor? (1)

funpet (836434) | about 7 years ago | (#20756299)

Because if they use third party software, they can blame the vendor for problems like this.

WHAT HAPPENED: Fradulent Items on eBay (4, Interesting)

N8F8 (4562) | about 7 years ago | (#20756293)

I'm betting that this is the other half of the story: Last night I was looking through microphones in the Pro Audio category and there was an ad with a nude chick at the top (the slot you pay extra to get you item posted to). When I clicked on the ad the FF eBay toolbar popped a warning that I was beign redirected to a fake eBay site to log in. I'm betting 1200 people didn't have the toolbar towarn them.

Re:WHAT HAPPENED: Fradulent Items on eBay (-1, Troll)

Anonymous Coward | about 7 years ago | (#20756443)

Wow, good job on announcing to the world that all it takes to make you click on a spam link is a picture of a naked lady. What are you, 12?

How about "eBay not hacked,you morons" as headline (1)

Dralithi (983409) | about 7 years ago | (#20756427)

At least Seakip18 has the right idea. I think the sensationalist headline of "ebay hacked" is total BS. It's probably nothing more than the result of phishing. People are that gullible. 1. PLEASE for the love of GOD don't respond to suspicious emails spoofers' emails are looking more and more official and have fewer spelling errors than ever 2. DON'T click on any links from PayPal or eBay emails. Just type the site into your browser! https://www.paypal.com/ [paypal.com] Let's be safe people!

eBay item (1)

dontspitconfetti (1153473) | about 7 years ago | (#20756455)

If he really did get sensitive account information (which I highly doubt), then he should of put them all up for auction on eBay! Anyone who wanted their info safe would have to win against everyone else trying to do the same thing.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?