Slashdot Mirror
Ebay Hacked, User Info Posted
An anonymous reader writes "This morning a hacker posted the personal contact information and credit card data of 1,200 ebay users on the eBay.com Trust & Saftey forums. eBay pulled the Trust & Safety forums off line, but not before one user made a video of the hacked forums and posted it on youtube.com. eBay response is on the eBay chatter page, and seems to try and down play this "fraudster"'s activity."
If he posted the info to eBay, it's unlikely he's interested in fraud. The hackers you have to worry about are the ones you never find out about.
Give me Classic Slashdot or give me death!
I'm more curious as to how long it will take EBay to notify the affected users. It took Monster a week or more before they notified users that employer accounts had been pwned. *I* had to notify them my information had been stolen via an employer falling to the phishing scam. I just hope EBay is more upfront.
1200 seems kind of low for the kind of community ebay's got.
So I wonder: are these 1200 users the kinds of people who post up an auction for a picture of a coveted item hoping to scam someone out of buku bucks? Are these users that took the money and ran? Or are these legitimate users caught in a genuine hack?
Can't watch the video, and the ebay PR rundown doesn't (and wouldn't) say, but since ebay happily protects fraudulent sellers and refuses to give defrauded buyers any means to recover their losses from the scammers it seems to me like this has potential to be a hacktivism move.
More Twoson than Cupertino
Perhaps a tad off topic, but a great tip nonetheless: check out the "virtual credit cards" you can get nowadays, they're excellent for protecting yourself from all kinds of online problems. The card works much like a disposable e-mail address; you create a virtual card with a unique card number that only exists for a very limited time and that has a defined (read: small) limit. You use that one-time card number to pay for the product you want and dispose of the card afterwards (or rather: forget all about the card afterwards). If someone hacks eBay and finds your number they'll never be able to get any money from it since the card is expired - and even if it's NOT expired, the credit (or rather debit) limit is maxed out.
I got mine for free from my bank and have used it for lots of online purchases - it's fucking awsome.
SIG: TAKE OFF EVERY 'CAPTAIN'!!
1) It's a kid. 2) He might not have even gotten the CC#'s out of eBay's internal servers. In fact, I bet he didn't, and he was evesdropping on another network. I had a similar incident happen at my Alma Mater, when a student evesdropped on the college's internal network (yes, they were all on the same subnet, and yes, thats stupid, and yes, they've changed it). 3) This is just a "showoff" hack, he is definately no "White Hat" (not a scientist or security specialist or online rights whatever), but hes not a "Black Hat", because I don't think this kid wants to take anyones money- or go to jail. Lets call him a "Clown Hat". 4) Uh, its eBay? Why do eBay and "fraud" suddenly seem uncompatible :)
According to the youtube video it seems as though only those with usernames starting with a,b,j,k were effected.
Chances are I am wrong, but if thats the case then that narrows the list down, and I wouldn't have to worry.
are they sure ebay itself was hacked?
i only ask because i had a better-than-usual phishing attempt this morning telling me my ebay account had been 'restricted' and it wouldn't be too hard to harvest 1200 passwords from the above without hacking ebay itself.
email text:
"A33 TKO NOTICE: Restricted Account Access
We have taken steps to secure your eBay account, including review of your
personal information and placing a temporary restriction on your account. Any
activity has been cancelled and any associated fees have been credited to your
account. We assure you that your credit card and bank details are stored on a
secure server and cannot be viewed by anyone.
Your account is currently blocked from listing and bidding on items, and from
sending email through Ask Seller a Question or Contact eBay member. To restore
full access to your account, please follow the instructions in this email."
login to your account link was:
http://us.ebayobjects.com/2c;13012399;10693575;h?http://61.9.146.244/signin.ebay.co.uk/ws/?eBayISAPI.dll?co_partnerid=2&siteid=0&UsingSSL=1
ie it had a susipicious 2nd address in url, one which resolves to australia
The guy had to have either:
A) Made them up
B) Gotten them somewhere else.
Regardless, he's just a troll trying to create bad press for eBay.
Earn a % of cash back from Newegg, Tiger Direct, Walmart.com, and more: http://www.mrrebates.com?refid=458505
I got in on the beta test and still use the ebay/paypal key dongle for my login. Makes it 100% ineffective for phishing scams to get my login.
in fact my number right now is 342498 GO and hack my account now.... oh wait. it just changed... 096443 is the new number, you got 25 seconds.
HAH Just wait for the email from eebai@yahoo.com and confirm your credit card details there... well atleast that way you know which ones have been compromised
They fitted George Orwell's coffin with rollers so he could turn over more easily years ago.
SpamAssassin etc. can distinguish real eBay correspondence from phishing attacks. Most of the world regrettably uses webmail these days, but you make a small difference in the lives of your loved ones by setting up a POP account where each e-mail is passed through a filter.
ebay owns paypal
I get EBay phish email all the time, and I get real EBay email all the time.
It's easy to tell them apart. EBay never ask for credit card information (they don't have it); the phishers always do. EBay know my name, and use it. The phishers don't.
...laura
Did they post the personal info for Ladiesman217?
Trust & Safety forums issue this morning
Some of our readers may have learned of an issue that occurred early this morning on one of our discussion forums. I've been talking with our Account Security and Legal teams, and I'd like to share some more details about this incident.
Very early this morning, a malicious fraudster posted on the Trust & Safety forum on eBay.com posing as approximately 1,200 eBay users. The fraudster made these posts in a way that was intended to appear as though he logged in with their accounts. The posts contained name and contact information, which appears to be valid, and could have been secured as part of an account take over.
The posts ALSO appeared to contain credit card information -- however, these credit cards are not associated with financial information on file for these users at eBay or PayPal. We're in the process of reaching out by phone to these members to, so that if the information is valid somehow -- regardless how this fraudster acquired the information -- these members can take the steps they need to take to protect themselves.
eBay and our forums vendor, LiveWorld, began taking steps to remedy the situation within an hour after it started. As things evolved behind the scenes, a decision was made to make the the Trust & Safety forum unavailable to our Community. It's still temporarily inaccessible, as the teams work on this issue.
I'll update this story later as we have more to share.
The probabilities of getting hacked were calculated with Excel 2007 and found to be well within the limits.
I'm betting that this is the other half of the story: Last night I was looking through microphones in the Pro Audio category and there was an ad with a nude chick at the top (the slot you pay extra to get you item posted to). When I clicked on the ad the FF eBay toolbar popped a warning that I was beign redirected to a fake eBay site to log in. I'm betting 1200 people didn't have the toolbar towarn them.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
"To all the people that are playing this down: Fuck you. Fuck eBay, too."
And to you I would say - stop being so lazy and using the same passwords for all your important financial accounts. If your account really did get drained, it is at the very least partially your fault for not using unique, strong passwords. How is ebay responsible for your lack of security planning??
"But this one goes to 11!"
Quidnam Latine loqui modo coepi?
I have no incontrovertible proof that it came from eBay, but the credit card that I have on file for eBay was compromised two weeks ago. There were several unauthorized online charges on my account. When it happened I had no way of knowing where the info leaked from. But now, two weeks later, I find out that all of my eBay user account information is available on the internet?!?
I WOULD SAY THAT THIS IS NOT A COINCIDENCE, AND THAT THERE WAS AN ACTUAL MALICIOUS HACKER ATTACK.
If you watch some of the videos related to the one linked above you will see that the person that posted the info to the eBay forums was just trying to get some visibility of the problem that he discovered.
Nope. I pay for listings and sales through paypal.
sig: sauer
Given that Ebay's response is along the lines of "It's a hoax, our security is fine, don't worry" I really wonder if keeping things like this under wraps is enough to keep companies like Ebay honest. I'm not optimistic since any admissions on their part cost them money, dent their public image, may cost them customers, and could make them easier to sue in case accounts are abused (either before or after the data becomes public).
Of course it's irresponsible to publish this sort of information (credit-card numbers, contact details) on the web. And yes ... perhaps there should be an independent authority (e.g. the police, the FBI) where you can go with your information and be certain that action will be taken instead of making it accessible to the world and his dog.
In the absence of a clear-cut authority to report to I'm still not quite convinced that the "shock-and-awe" effect of bluntly putting the data on the web isn't needed to prod Ebay into action to take measures.
And if you hadn't fucked up, they wouldn't know your Gmail and PayPal passwords. Besides, you don't have any concrete proof that this is related to the Ebay postings do you? Did it ever occur that you password may not be that strong and was simply guessed or brute-forced? Could be a coincidence. Only 1200 out of the millions of Ebay accounts were even posted.
"But this one goes to 11!"
Exiting news: Through a CGI-script, you can browse on the server of adobe:
here (this has just been disabled a few minutes ago)
According to heise (German), you were able to get adobe's private RSA key (which is not much used though) and there are also rumors that they got the private SSL-key.
According to my user profile, they don't have my phone number.
Maybe they could get it from my credit card company, but if they did my credit card company would be losing my business.
The Register contacted at least two of the people whose info was posted and they confirmed their accounts had been hacked.
See the story here.
As for the credit card numbers not belonging to the people affected my first thought was the hacker posted the correct contact info but, perhaps to be benevolent, scrambled the credit card numbers. In other words, the card numbers displayed are correct but they're just shown as belonging to someone else. eBay may be realizing this now when they search their databases for the people those numbers really belong to.
You get a new wallet every time you buy disposable panties?
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
When I logged onto PayPal, they had all the red flags up, and required me to prove my identity and change my password, yaddah yaddah yaddah. Several days later, it came thru AGAIN, and I found a number for PayPal and gave them a call. Turns out that if my bank denies the transaction, they'll try again, just like with a check or any other purchase.
I thought my password (8 digits) was pretty good, as it was not a word and included numbers, but apparently, it wasn't. Now it's 20 digits long. My bank also made the suggestion that I get a new checking account, as those numbers may be out there as well. I think it's a good point, and I'll have to do that pretty quick.
It's not from phishing, as I can easily see which e-mails are truly from PayPal and which ones aren't. The phishing mails are full of typos, spelling errors, and repeat sentences with different information. They've gotta be done by someone who isn't fluent in the English language. It's actually pretty funny reading material. What's not so funny is that those horribly-done phishing e-mails actually fool some people. Sad state of affairs we have in the education of the country, if you ask me.
-Dave
A fairly comprehensive list of affected ids is available at this site.
10001001111001110110011000011101110