Slashdot Mirror
Ebay Hacked, User Info Posted
An anonymous reader writes "This morning a hacker posted the personal contact information and credit card data of 1,200 ebay users on the eBay.com Trust & Saftey forums. eBay pulled the Trust & Safety forums off line, but not before one user made a video of the hacked forums and posted it on youtube.com. eBay response is on the eBay chatter page, and seems to try and down play this "fraudster"'s activity."
If he posted the info to eBay, it's unlikely he's interested in fraud. The hackers you have to worry about are the ones you never find out about.
Give me Classic Slashdot or give me death!
German discussion on heise.de:
http://www.heise.de/newsticker/foren/go.shtml?read=1&msg_id=13602017&forum_id=124661
For those of us who have ebay accounts, does anyone have a list of those accounts compromised? I want to know if I should cancel any credit cards or change any passwords.
...What are eBay doing with credit card information? I thought it was all done through Paypal or escrow services? Or am I missing something?
Operation Guillotine is in effect.
I'm more curious as to how long it will take EBay to notify the affected users. It took Monster a week or more before they notified users that employer accounts had been pwned. *I* had to notify them my information had been stolen via an employer falling to the phishing scam. I just hope EBay is more upfront.
why on earth would anyone make a video about this? a screenshot is much more effective. plus, less bandwidth.
some people seemed to be imprisoned in web 2.0.
eBay isn't going to let these potential security issues ruin its core business. As such they're in the process of re-branding from an auction site to more of an online dating service where potential scammers can meet potential scamees.
1200 seems kind of low for the kind of community ebay's got.
So I wonder: are these 1200 users the kinds of people who post up an auction for a picture of a coveted item hoping to scam someone out of buku bucks? Are these users that took the money and ran? Or are these legitimate users caught in a genuine hack?
Can't watch the video, and the ebay PR rundown doesn't (and wouldn't) say, but since ebay happily protects fraudulent sellers and refuses to give defrauded buyers any means to recover their losses from the scammers it seems to me like this has potential to be a hacktivism move.
More Twoson than Cupertino
Is there a listing of each ID that is affected? Or do we have to trust eBay to send out the usual 1-year-of-credit-watch "protection" to each affected party?
[
I'm glad that a forum with Saftey in it's name was pulled down. Serves ebay right....
On the other sports page...
Exactly how the guy got the information is a good guess. Probably via phishing scams. In all, this ain't Ebay's fault that people are giving their information away. Now, what Ebay does now that they know.....
import system.cool.Sig;
Perhaps a tad off topic, but a great tip nonetheless: check out the "virtual credit cards" you can get nowadays, they're excellent for protecting yourself from all kinds of online problems. The card works much like a disposable e-mail address; you create a virtual card with a unique card number that only exists for a very limited time and that has a defined (read: small) limit. You use that one-time card number to pay for the product you want and dispose of the card afterwards (or rather: forget all about the card afterwards). If someone hacks eBay and finds your number they'll never be able to get any money from it since the card is expired - and even if it's NOT expired, the credit (or rather debit) limit is maxed out.
I got mine for free from my bank and have used it for lots of online purchases - it's fucking awsome.
SIG: TAKE OFF EVERY 'CAPTAIN'!!
1) It's a kid. 2) He might not have even gotten the CC#'s out of eBay's internal servers. In fact, I bet he didn't, and he was evesdropping on another network. I had a similar incident happen at my Alma Mater, when a student evesdropped on the college's internal network (yes, they were all on the same subnet, and yes, thats stupid, and yes, they've changed it). 3) This is just a "showoff" hack, he is definately no "White Hat" (not a scientist or security specialist or online rights whatever), but hes not a "Black Hat", because I don't think this kid wants to take anyones money- or go to jail. Lets call him a "Clown Hat". 4) Uh, its eBay? Why do eBay and "fraud" suddenly seem uncompatible :)
They article says they posted 1200 online, but I wonder if ALL account where compromised and only 1200 where posted.
According to the youtube video it seems as though only those with usernames starting with a,b,j,k were effected.
Chances are I am wrong, but if thats the case then that narrows the list down, and I wouldn't have to worry.
are they sure ebay itself was hacked?
i only ask because i had a better-than-usual phishing attempt this morning telling me my ebay account had been 'restricted' and it wouldn't be too hard to harvest 1200 passwords from the above without hacking ebay itself.
email text:
"A33 TKO NOTICE: Restricted Account Access
We have taken steps to secure your eBay account, including review of your
personal information and placing a temporary restriction on your account. Any
activity has been cancelled and any associated fees have been credited to your
account. We assure you that your credit card and bank details are stored on a
secure server and cannot be viewed by anyone.
Your account is currently blocked from listing and bidding on items, and from
sending email through Ask Seller a Question or Contact eBay member. To restore
full access to your account, please follow the instructions in this email."
login to your account link was:
http://us.ebayobjects.com/2c;13012399;10693575;h?http://61.9.146.244/signin.ebay.co.uk/ws/?eBayISAPI.dll?co_partnerid=2&siteid=0&UsingSSL=1
ie it had a susipicious 2nd address in url, one which resolves to australia
Maybe theyre just trying to get jobs like the worm creator from China?
The guy had to have either:
A) Made them up
B) Gotten them somewhere else.
Regardless, he's just a troll trying to create bad press for eBay.
Earn a % of cash back from Newegg, Tiger Direct, Walmart.com, and more: http://www.mrrebates.com?refid=458505
Expect to receive a letter from "ebay" or "pay-pal" even if you really weren't one of the 1200.
Seriously, if you know anyone who uses ebay, let them know that email is not verified as regards the sender. My wife uses ebay on my account and I get phishing attacks thru ebay and paypal all the time. I'm sure this breach(?) will only make those phishing attacks more common and more effective.
I got in on the beta test and still use the ebay/paypal key dongle for my login. Makes it 100% ineffective for phishing scams to get my login.
in fact my number right now is 342498 GO and hack my account now.... oh wait. it just changed... 096443 is the new number, you got 25 seconds.
It is lying by omission to try to remove the information on youtube or any other website (the usernames and addresses are correct while the credit card numbers appear to be incorrect) as that would be censorship and is wrong. At least according to this anonymous coward and the mods who modded me troll. Its sad to see an example of my counterclaim up so quickly, although at least only the address is correct and it shouldn't hurt people financially (although I wouldn't want my address linked with my slashdot or ebay accounts).
Using openSUSE instead of Windows since 9th of October, 2007 and liking it.
I get EBay phish email all the time, and I get real EBay email all the time.
It's easy to tell them apart. EBay never ask for credit card information (they don't have it); the phishers always do. EBay know my name, and use it. The phishers don't.
...laura
Did they post the personal info for Ladiesman217?
The second URL was a good giveaway. Wonder if the average e-mail user could do that. to teach Internet users about the dangers of phishing. Kind of fun and interesting.
Yesterday, I noticed I couldn't log in to my own fucking account. It kept saying my password was incorrect. I had to call up PayPal. I found out that all of my money in PayPal (I had around $7,000 USD) is gone. eBay won't let me know what happened and want to charge me seller's fees when I never even own what was sold! I suspect some low life has taken over my eBay, PayPal, and even my GMail account (same password because I have poor memory). PayPal says there is nothing they can do for me and that I owe them for the negative account balance and eBay for the seller fees.
I am really worried because my eBay name has been ruined with negatives from fraudulent sales and I depend on it to pay my bills. Now I have no money because some fucker took everything in PayPal so I can't pay my credit card bill which is due today. To all the people that are playing this down: Fuck you. Fuck eBay, too.
Argh... Sarbanes-Oxley, I hate that spelling...
I said no... but I missed and it came out yes.
Trust & Safety forums issue this morning
Some of our readers may have learned of an issue that occurred early this morning on one of our discussion forums. I've been talking with our Account Security and Legal teams, and I'd like to share some more details about this incident.
Very early this morning, a malicious fraudster posted on the Trust & Safety forum on eBay.com posing as approximately 1,200 eBay users. The fraudster made these posts in a way that was intended to appear as though he logged in with their accounts. The posts contained name and contact information, which appears to be valid, and could have been secured as part of an account take over.
The posts ALSO appeared to contain credit card information -- however, these credit cards are not associated with financial information on file for these users at eBay or PayPal. We're in the process of reaching out by phone to these members to, so that if the information is valid somehow -- regardless how this fraudster acquired the information -- these members can take the steps they need to take to protect themselves.
eBay and our forums vendor, LiveWorld, began taking steps to remedy the situation within an hour after it started. As things evolved behind the scenes, a decision was made to make the the Trust & Safety forum unavailable to our Community. It's still temporarily inaccessible, as the teams work on this issue.
I'll update this story later as we have more to share.
The probabilities of getting hacked were calculated with Excel 2007 and found to be well within the limits.
FTA: "eBay and our forums vendor, LiveWorld, began taking steps to remedy the situation within an hour after it started."
I'm curious, why would a company the size of eBay (in both $ and employees) use a third party vendor for their forums? Why wouldn't they just invest in developing their own forums and avoid potentially embarrassing publicity?
I'm betting that this is the other half of the story: Last night I was looking through microphones in the Pro Audio category and there was an ad with a nude chick at the top (the slot you pay extra to get you item posted to). When I clicked on the ad the FF eBay toolbar popped a warning that I was beign redirected to a fake eBay site to log in. I'm betting 1200 people didn't have the toolbar towarn them.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
Phising scams maybe. But if you fall for those it's your own fault.
That token doesn't prevent your account from be hacked. I mean hacked in the true sense where someone breaks into the server and has full access to anything they need. They don't need your account info to do this.
Secure dongle? You mean a strap-on?
If you show me your dongle, I'll show you mine.
At least Seakip18 has the right idea. I think the sensationalist headline of "ebay hacked" is total BS. It's probably nothing more than the result of phishing. People are that gullible. 1. PLEASE for the love of GOD don't respond to suspicious emails spoofers' emails are looking more and more official and have fewer spelling errors than ever 2. DON'T click on any links from PayPal or eBay emails. Just type the site into your browser! https://www.paypal.com/ Let's be safe people!
If he really did get sensitive account information (which I highly doubt), then he should of put them all up for auction on eBay! Anyone who wanted their info safe would have to win against everyone else trying to do the same thing.
I just want a list of usernames because I want to know if I, an eBay user, was affected.
I have no incontrovertible proof that it came from eBay, but the credit card that I have on file for eBay was compromised two weeks ago. There were several unauthorized online charges on my account. When it happened I had no way of knowing where the info leaked from. But now, two weeks later, I find out that all of my eBay user account information is available on the internet?!?
I WOULD SAY THAT THIS IS NOT A COINCIDENCE, AND THAT THERE WAS AN ACTUAL MALICIOUS HACKER ATTACK.
If you watch some of the videos related to the one linked above you will see that the person that posted the info to the eBay forums was just trying to get some visibility of the problem that he discovered.
Your dongle won't help with some of the more sophisticated phishing scams, assuming they find a way to make you type in the number yourself. The "better" phishing sites today verify your password in the background and show an error message if it was wrong, so theoretically they could just plunder your paypal account while they are at it - 25 seconds should be more than enough.
Oh no, a bunch of screen names next to an arbitrary alphanumeric hash. Bunkibun37 must be scared $h17less. It's the same style as a previous E-Bay "hack" video on Who?Tube. Some script kiddie is just looking for attention.
Firefox reports the page in your link as a reported forgery. I like Firefox. I'm surprised it has not made it to the scrubit filtered DNS yet.
Will, it's time to fill in another phishing page with garbage. Woo Hoo!
The truth shall set you free!
Given that Ebay's response is along the lines of "It's a hoax, our security is fine, don't worry" I really wonder if keeping things like this under wraps is enough to keep companies like Ebay honest. I'm not optimistic since any admissions on their part cost them money, dent their public image, may cost them customers, and could make them easier to sue in case accounts are abused (either before or after the data becomes public).
Of course it's irresponsible to publish this sort of information (credit-card numbers, contact details) on the web. And yes ... perhaps there should be an independent authority (e.g. the police, the FBI) where you can go with your information and be certain that action will be taken instead of making it accessible to the world and his dog.
In the absence of a clear-cut authority to report to I'm still not quite convinced that the "shock-and-awe" effect of bluntly putting the data on the web isn't needed to prod Ebay into action to take measures.
I just read that response. I for one find it very professional and correct.
What did you expect ? That E-Bay would just come forward and say: "oh, we haven't fully checked on this yet, but since it was a post on the forum, we are sure it is correct, so we are confirming it".
They are investigating. They are contacting the users that are potentially affected (just in case).
They are not silent. They are not denying that it could have happened. They are even taking preventive measures. What more did you want ?
morcego
That was my first reaction too. But if they really hacked into the eBay servers and were able to get to your credit card information, well then that dongle isn't going to be of much help. Sure you're safe from them bidding for Beanie Babies on your behalf, but the credit card information is another story. Luckily, it sounds like this might be a hoax.
Wanted: witty unique signature. Must be willing to relocate.
An eBay member saved the account information that was posted before it got deleted. They have posted only the eBay account names, not any of the other data. You can look there to see if your account was one posted:
http://shenemanfamily.com/comp.html
Exiting news: Through a CGI-script, you can browse on the server of adobe:
here (this has just been disabled a few minutes ago)
According to heise (German), you were able to get adobe's private RSA key (which is not much used though) and there are also rumors that they got the private SSL-key.
My bank just called me (while reading this article) and told me my credit card was used at itunes, bestbuy, and qvc.. online. I am in the process of getting this sorted out... and it started on the 25th... It was all confirmed fraud... and i think everything will be ok. The bank stopped the transaction before they could go through. coencidence? In seven years of online transactions, I never had a problem...
To address this anywhere on their site - no mention of it on the front page, no mention in an email in your ebay mail box, absolutely nothing. Way to go ebay.
brian botkiller "Condensing fact from the vapor of nuance" - Neal Stephenson, Snow Crash
It just someone pissed that they got out bid on an A-team lunchbox.
God Be Gone
There is nothing to buy on that site. No wonder its free.
And now the video has been removed:
This video has been removed due to terms of use violation.
"Can of worms? The can is open... the worms are everywhere."
Note to self: Stop putting jokes in my insightful comments so I can get something other than +1 Funny!
I can't make purchases in this facist society without it!
This kind of behaviour is reprehensible. If you wanted to let EBay know they have a security problem, tell them, anonomously if you must, but posting other peoples indentifying information is like shooting an automatic weapon into a crowd of innocent people. I think along with fines, restrictions and imprisonment, spanking should be added to the list of punishments for this type of behavior.
It is EBay's behavior that is reprehensible. We have no evidence whether or not the person tried to tell EBay, but, based on my experience, EBay would do nothing whatsoever about it, other than perhaps try to harass the person who tried to report it. So how else should someone let people know how reprehensible EBay's so-called security is, not to mention their many other policies allowing customers to be abused by merchants?
Fortunately for EBay, there are a great many fools left who continue to use their service
The Register contacted at least two of the people whose info was posted and they confirmed their accounts had been hacked.
See the story here.
As for the credit card numbers not belonging to the people affected my first thought was the hacker posted the correct contact info but, perhaps to be benevolent, scrambled the credit card numbers. In other words, the card numbers displayed are correct but they're just shown as belonging to someone else. eBay may be realizing this now when they search their databases for the people those numbers really belong to.
Perhaps this is a bad time to tell you they repeat every 19.25 hours.
...No? Then shut the fuck up. Only a group like this would equate a stupid incident online to an actual attempted mass murder. I'd like to strip your stupid computer away from you and stick you in the middle of the Iraqi desert with a bottle of water and a wheelgun with only three rounds left. Let's see how smart you become, then.
This e-Bay incident is NOTHING like shooting a gun into a crowd, so please just shut the fuck up and stick you nose back into your Linux CLI.
I hope no one who's actually lost a loved one in a mass-shooting reads your retarded comment.
Self-important asshole.
If those are live credit cards, they would want to ensure as few people as possible would try to use them.
:wq
cn suddnly whn u hve crdt in pypal..thn they close n say u acc corrupted ..lol more money gone :D
And yet, if it WERE fake, why remove it?
Seems to authenticate it to me...
This may be redundant, but I, being absolutely ignorant in that area, like it when they do helpful things.
[/war] "All the world's a stage, And all the men and women merely players."
Credit cards from CitiCard (which has a range of credit cards) have the virtual account feature --or, at least one does --I don't know if they all do. Another one was a credit card from MBNA, which got bought out by Bank of America. I haven't used mine since it got bought by B of A, because their web site was giving me trouble (I can't remember what; some combination of Best Viewed with IE using Javascript and Flash or something like that) and I already had the Citi alternative.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
itsatrap
Can you give me your PayPal info? I'd like to buy a vowel.
Personally I don't see why the newsposter would include the link to the Youtube video (although it has been taken off by now) it seems that posting a link to the video would be a partial contribution to the problem.
With the video having been removed from YouTube, does anyone have a link to a copy? I am interested to see whether mine is one of the accounts that has been compromised. I do not trust eBay to notify me.
I am probably not on the list (I know a phish when I see one), but just in case...
You can buy a rotating security key from ebay or paypal for 5 bucks.
Then you can't log in without it.
I'm not worried about my account.
They're using their grammar skills there.
I just want to tell everyone that my cc information was used by someone in Iowa. Since yesterday the 25th my account is showing activity on multiple online sites. My bank has informed me that fraudulent activity has been detected and there are in the process of tracking it down. This is no coincidence. I have used online service for over seven years without problem... There are over 2000$ in activity in my account since the 25th (yesterday) and I can't imagine it came from anywhere else but this... eBay was compromised. I just happen to be one of the lucky 1200...
Fortunately their Nigerian site is sending out notices via email, though they're a little hard to read. I'm sure they'll get all this sorted out soon enough. Mr Okoye seemed extremely anxious to help.
Appended to the end of comments you post. 120 chars.
It seems like every couple months we get one of those shit eating emails from Bill Cobb elegantly explaining to the eBay world why listing fees and other fees need to be increased.. how come our money isn't being put to good use? where's the security? it's apparent that the reason fees have hiked up was for the fat cats' own personal benefit, and didn't actually secure their system or provide anything of use to the people who support eBay at all!!! thank you Bill "Piece Of Shit" Cobb..
*plays the Apogee theme song music*
It CAN'T make it to filtered DNS, because IP addresses aren't looked up in DNS in the first place! And ebayobjects.com is actually eBay's domain, and I think DoubleClick's software - making it not an illegitimate site.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
I suppose eBay is busy cleaning up their "bad reputation." Flame bait? Troll! Yeah right...
I've been in their shoes - writing code and managing millions of credit cards on a web-facing travel application. I have code certified to FIPS 140.2 - I know what it takes to get there.
If they fail customer safety standards they will get my ridicule, as a customer and as an industry colleague.
I have NO problem calling inadequate, dangerous, and reckless companies "stupid idiots." Millions of people TRUST eBay with credit worth billions of dollars - and they have repeatedly failed.
Being called a stupid idiot should be the LEAST of their worries.
I said no... but I missed and it came out yes.
ahaa..no thanks..i dont "like" pypal and "like" to save time XD
When I logged onto PayPal, they had all the red flags up, and required me to prove my identity and change my password, yaddah yaddah yaddah. Several days later, it came thru AGAIN, and I found a number for PayPal and gave them a call. Turns out that if my bank denies the transaction, they'll try again, just like with a check or any other purchase.
I thought my password (8 digits) was pretty good, as it was not a word and included numbers, but apparently, it wasn't. Now it's 20 digits long. My bank also made the suggestion that I get a new checking account, as those numbers may be out there as well. I think it's a good point, and I'll have to do that pretty quick.
It's not from phishing, as I can easily see which e-mails are truly from PayPal and which ones aren't. The phishing mails are full of typos, spelling errors, and repeat sentences with different information. They've gotta be done by someone who isn't fluent in the English language. It's actually pretty funny reading material. What's not so funny is that those horribly-done phishing e-mails actually fool some people. Sad state of affairs we have in the education of the country, if you ask me.
-Dave
You don't need to memorize all of your passwords. Just use password manager. Like Password Safe (free, open source) by Bruce Schneier. I do have it, and I do have hundreds of passwords, a unique strong random password for each resource I am using. It's not hard, really, and it takes no time. It also doesn't take much time to change password every X months.
And definitely it is worth having password manager if you can lose even 50$ due to hacking of your account.
eBay users information on eBay's Trust & Safety forums.. well the hacker trying to make us rich with those information.. really he is so generous. But eBay must be responsible for quick action to block those information posted at the forum, however we can see the lack of security in eBay and is it secure for us to continue buying stuffs at eBay.. there is still a possible similar attack in future.. so be aware!!
Stolen credit cards. Most Internet fraud is done through the use of stolen credit card information which is obtained in many ways, the simplest being copying information from retailers, either online or offline. There have been many cases of crackers obtaining huge quantities of credit card information from companies' databases. There have been cases of employees of companies that deal with millions of customers in which they were selling the credit card information to criminals. Despite the claims of the credit card industry and various merchants, using credit cards for online purchases can be insecure and carry a certain risk. Even so called "secure transactions" are not fully secure, since the information needs to be decrypted to plain text in order to process it. This is one of the points where credit card information is typically stolen.