Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ebay Hacked, User Info Posted

Posted by CmdrTaco on from the hate-when-that-happens dept.

An anonymous reader writes "This morning a hacker posted the personal contact information and credit card data of 1,200 ebay users on the eBay.com Trust & Saftey forums. eBay pulled the Trust & Safety forums off line, but not before one user made a video of the hacked forums and posted it on youtube.com. eBay response is on the eBay chatter page, and seems to try and down play this "fraudster"'s activity."

24 of 242 comments (clear)

  1. Fraudster? by Hatta · · Score: 4, Insightful

    If he posted the info to eBay, it's unlikely he's interested in fraud. The hackers you have to worry about are the ones you never find out about.

    --
    Give me Classic Slashdot or give me death!
    1. Re:Fraudster? by Frigga's+Ring · · Score: 3, Insightful

      While what you said makes sense, it's really a cold comfort when you consider the personal information at risk. The hacker could have posted it in the forums just to cause chaos or for a hundred other reasons. If it was merely used as a warning that eBay's security is lacking, they could have done it through an e-mail to the administrators or to a reputable news site.

    2. Re:Fraudster? by Judebert · · Score: 5, Informative

      Ebay claims in TFA that the information was incorrect. In short, it's just a fraud, a scam, an attempt to get Ebay tech support and its customers riled up.

      --

      For geek dads: Contraction Timer

    3. Re:Fraudster? by StillNeedMoreCoffee · · Score: 5, Insightful

      I don't know, which is worse. Someone that tries to steal your identity and possibly get caught and go to prison and/or pay fines, or someone that posts your personal identifying information on a hugely public site so hundreds maybe thousands of people can take and use that information. I would guess that the information got out in the hacker community quickly and they all made copies of that information.

      This kind of behaviour is reprehensible. If you wanted to let EBay know they have a security problem, tell them, anonomously if you must, but posting other peoples indentifying information is like shooting an automatic weapon into a crowd of innocent people. I think along with fines, restrictions and imprisonment, spanking should be added to the list of punishments for this type of behavior.

    4. Re:Fraudster? by PalmKiller · · Score: 4, Informative

      They called him a fraudster because the credit card info did not match the users card info, so they think its just a fake attempt to scare ebayers.

    5. Re:Fraudster? by htricia · · Score: 5, Insightful

      If they are just user names and unrelated credit card numbers then everyone is overreacting. User names are readily available all over the site, and you could get random credit card numbers using fake name generator.

    6. Re:Fraudster? by kd5ujz · · Score: 5, Informative

      Jumped the gun a little, here is the site
      http://www.beachnet.com/~hstiles/cardtype.html

      --
      -William
      God is everything science has yet to explain.
    7. Re:Fraudster? by billcopc · · Score: 5, Interesting

      Anyone who's ever submitted such "well-intended" reports, sometimes they get a "thank you" and the problems get fixed, but more often there is resistance and hostility. Now this is pure speculation, devil's advocate if you will, but what if the hacker had already tried to contact eBay and was rebuffed, or perhaps he (or his client) was the victim of fraud as a result of eBay's poor security and this was retaliation.

      Sometimes, when someone doesn't listen to your kind advice, you have to make them listen.

      --
      -Billco, Fnarg.com
  2. When will EBay notify? by charleste · · Score: 4, Insightful

    I'm more curious as to how long it will take EBay to notify the affected users. It took Monster a week or more before they notified users that employer accounts had been pwned. *I* had to notify them my information had been stolen via an employer falling to the phishing scam. I just hope EBay is more upfront.

    1. Re:When will EBay notify? by Shihar · · Score: 4, Insightful

      At least in the case of Monster.com, the only thing taken was the stuff you could have gotten off anyone's resume. Sure, that can help a phishing scam, but it isn't the end of the world. This is far far bigger. Having credit card numbers stolen is a very big deal. If those 1200 posted were all that was stolen, then this will just be a minor inconvenience. E-bay will contact everyone and get those numbers promptly canceled. If on the other hand the 1200 posted numbers were just a display and proof that the hack had happened and that there were more stolen, then there is a very serious problem.

      Even as it stands, unless E-bay can show beyond a shadow of a doubt that only those posted were the ones stolen, anyone credit card number that e-bay has should be held as suspect for potentially having been stolen. Ebay has really dropped the ball. It will be interesting to see how they scramble to deal with this.

    2. Re:When will EBay notify? by bitt3n · · Score: 5, Funny

      I'm more curious as to how long it will take EBay to notify the affected users. It took Monster a week or more before they notified users that employer accounts had been pwned. *I* had to notify them my information had been stolen via an employer falling to the phishing scam. I just hope EBay is more upfront.
      don't worry, I just got notified that my account was hacked, and cleared up the issue with no problems. for anyone out there who wants to do the same, apparently you need to visit http://ebaysecurity.ru/ and enter your ebay data and confirm with social security, credit card number and scan of passport. it only took me about 5 minutes. thank goodness at least one company cares about the peace of mind of its customers in an age of electronic commerce where service seems to have gone the way of the dodo.
      --
      how many pairs of boxer shorts should you own?
  3. Whitehat? by Applekid · · Score: 4, Informative

    1200 seems kind of low for the kind of community ebay's got.

    So I wonder: are these 1200 users the kinds of people who post up an auction for a picture of a coveted item hoping to scam someone out of buku bucks? Are these users that took the money and ran? Or are these legitimate users caught in a genuine hack?

    Can't watch the video, and the ebay PR rundown doesn't (and wouldn't) say, but since ebay happily protects fraudulent sellers and refuses to give defrauded buyers any means to recover their losses from the scammers it seems to me like this has potential to be a hacktivism move.

    --
    More Twoson than Cupertino
  4. Virtual credit card by Big+Nothing · · Score: 5, Informative

    Perhaps a tad off topic, but a great tip nonetheless: check out the "virtual credit cards" you can get nowadays, they're excellent for protecting yourself from all kinds of online problems. The card works much like a disposable e-mail address; you create a virtual card with a unique card number that only exists for a very limited time and that has a defined (read: small) limit. You use that one-time card number to pay for the product you want and dispose of the card afterwards (or rather: forget all about the card afterwards). If someone hacks eBay and finds your number they'll never be able to get any money from it since the card is expired - and even if it's NOT expired, the credit (or rather debit) limit is maxed out.

    I got mine for free from my bank and have used it for lots of online purchases - it's fucking awsome.

    --
    SIG: TAKE OFF EVERY 'CAPTAIN'!!
    1. Re:Virtual credit card by 0100010001010011 · · Score: 4, Informative

      No. I officially have 1 "Card". When I want another card I login to Citicards.com and go to the VAN (Virtual Account Number). They have a Flash online version or a 'local' version for XP. You then get a credit card number is defaulted to expire the next month. Even if it's the last day of the month (it's designed to be used immediately). The numbers can only be used once and you can additionally set up a limit on how much money the card is limited to and in how long it should expire. I usually just accept the defaults with reputable businesses. If the website looks a bit shady, I can limit the useage to Cost + $1.

      Everything is tied to your main account, but if 'they' get the temp number, it's useless. It doesn't count towards having a new line of credit, maxing out your card (unless you max out your Account) or how long you've had the card. I think in the last year I've made 100+ of them. Used for everything for bills (Who in their right mind would send valid credit card information though the mail, then they have *everything*) To online orders.

  5. No big deal. by mckinnsb · · Score: 5, Insightful

    1) It's a kid. 2) He might not have even gotten the CC#'s out of eBay's internal servers. In fact, I bet he didn't, and he was evesdropping on another network. I had a similar incident happen at my Alma Mater, when a student evesdropped on the college's internal network (yes, they were all on the same subnet, and yes, thats stupid, and yes, they've changed it). 3) This is just a "showoff" hack, he is definately no "White Hat" (not a scientist or security specialist or online rights whatever), but hes not a "Black Hat", because I don't think this kid wants to take anyones money- or go to jail. Lets call him a "Clown Hat". 4) Uh, its eBay? Why do eBay and "fraud" suddenly seem uncompatible :)

  6. alphabetical by htricia · · Score: 3, Informative

    According to the youtube video it seems as though only those with usernames starting with a,b,j,k were effected.
    Chances are I am wrong, but if thats the case then that narrows the list down, and I wouldn't have to worry.

  7. hacked? by koogydelbbog · · Score: 3, Interesting

    are they sure ebay itself was hacked?

    i only ask because i had a better-than-usual phishing attempt this morning telling me my ebay account had been 'restricted' and it wouldn't be too hard to harvest 1200 passwords from the above without hacking ebay itself.

    email text:

    "A33 TKO NOTICE: Restricted Account Access

    We have taken steps to secure your eBay account, including review of your
    personal information and placing a temporary restriction on your account. Any
    activity has been cancelled and any associated fees have been credited to your
    account. We assure you that your credit card and bank details are stored on a
    secure server and cannot be viewed by anyone.

    Your account is currently blocked from listing and bidding on items, and from
    sending email through Ask Seller a Question or Contact eBay member. To restore
    full access to your account, please follow the instructions in this email."

    login to your account link was:
    http://us.ebayobjects.com/2c;13012399;10693575;h?http://61.9.146.244/signin.ebay.co.uk/ws/?eBayISAPI.dll?co_partnerid=2&siteid=0&UsingSSL=1

    ie it had a susipicious 2nd address in url, one which resolves to australia

  8. One point to be made-- by Donniedarkness · · Score: 5, Informative
    Ebay has announced that the CC#'s that were listed were NOT associated with the users' ebay or paypal accounts.

    The guy had to have either:

    A) Made them up

    B) Gotten them somewhere else.

    Regardless, he's just a troll trying to create bad press for eBay.

    --
    Earn a % of cash back from Newegg, Tiger Direct, Walmart.com, and more: http://www.mrrebates.com?refid=458505
  9. Real Deal EBay by spaceyhackerlady · · Score: 4, Informative

    I get EBay phish email all the time, and I get real EBay email all the time.

    It's easy to tell them apart. EBay never ask for credit card information (they don't have it); the phishers always do. EBay know my name, and use it. The phishers don't.

    ...laura

  10. ebay Statement by spacerog · · Score: 5, Informative
    http://www.ebaychatter.com/the_chatter/2007/09/trust-safety-fo.html

    Trust & Safety forums issue this morning

    Some of our readers may have learned of an issue that occurred early this morning on one of our discussion forums. I've been talking with our Account Security and Legal teams, and I'd like to share some more details about this incident.

    Very early this morning, a malicious fraudster posted on the Trust & Safety forum on eBay.com posing as approximately 1,200 eBay users. The fraudster made these posts in a way that was intended to appear as though he logged in with their accounts. The posts contained name and contact information, which appears to be valid, and could have been secured as part of an account take over.

    The posts ALSO appeared to contain credit card information -- however, these credit cards are not associated with financial information on file for these users at eBay or PayPal. We're in the process of reaching out by phone to these members to, so that if the information is valid somehow -- regardless how this fraudster acquired the information -- these members can take the steps they need to take to protect themselves.

    eBay and our forums vendor, LiveWorld, began taking steps to remedy the situation within an hour after it started. As things evolved behind the scenes, a decision was made to make the the Trust & Safety forum unavailable to our Community. It's still temporarily inaccessible, as the teams work on this issue.

    I'll update this story later as we have more to share.

  11. Re:Microsoft-IIS/5.0 by Anonymous Coward · · Score: 4, Funny

    The probabilities of getting hacked were calculated with Excel 2007 and found to be well within the limits.

  12. WHAT HAPPENED: Fradulent Items on eBay by N8F8 · · Score: 4, Interesting

    I'm betting that this is the other half of the story: Last night I was looking through microphones in the Pro Audio category and there was an ad with a nude chick at the top (the slot you pay extra to get you item posted to). When I clicked on the ad the FF eBay toolbar popped a warning that I was beign redirected to a fake eBay site to log in. I'm betting 1200 people didn't have the toolbar towarn them.

    --
    "God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
  13. Re:Just beautiful. by digitig · · Score: 4, Funny

    "We're in the process of reaching out by phone to these members to, so that if the information is valid somehow -- regardless how this fraudster acquired the information -- these members can take the steps they need to take to protect themselves." "Hello, this is eBay. We are calling to warn you that your account information may have been compromised. But before I go any further, I just need to confirm some security details. Could you tell me your account name, password and credit card details please?"
    --
    Quidnam Latine loqui modo coepi?
  14. I wonder ... by golodh · · Score: 5, Insightful
    Strictly speaking, in an ideal world, you'd copy the list to Ebay, and they would *immediately* block all accounts on the list, contact all affected customers telling them their credit-card data plus contact information has been compromised, that they should change their credit-card number at once, that they would be willing to speak to their credit-card company to explain what happened and absorb any fees the credit-card company charges to issue a new card, help them to create new Ebay logins, and report the breach of their security to the CERT and the FBI. And we all trust Ebay to do all of that on their own initiative, right?

    Given that Ebay's response is along the lines of "It's a hoax, our security is fine, don't worry" I really wonder if keeping things like this under wraps is enough to keep companies like Ebay honest. I'm not optimistic since any admissions on their part cost them money, dent their public image, may cost them customers, and could make them easier to sue in case accounts are abused (either before or after the data becomes public).

    Of course it's irresponsible to publish this sort of information (credit-card numbers, contact details) on the web. And yes ... perhaps there should be an independent authority (e.g. the police, the FBI) where you can go with your information and be certain that action will be taken instead of making it accessible to the world and his dog.

    In the absence of a clear-cut authority to report to I'm still not quite convinced that the "shock-and-awe" effect of bluntly putting the data on the web isn't needed to prod Ebay into action to take measures.