Ebay Hacked, User Info Posted

An anonymous reader writes "This morning a hacker posted the personal contact information and credit card data of 1,200 ebay users on the eBay.com Trust & Saftey forums. eBay pulled the Trust & Safety forums off line, but not before one user made a video of the hacked forums and posted it on youtube.com. eBay response is on the eBay chatter page, and seems to try and down play this "fraudster"'s activity."

Fraudster?

[Hatta]

If he posted the info to eBay, it's unlikely he's interested in fraud. The hackers you have to worry about are the ones you never find out about.

When will EBay notify?

[charleste]

I'm more curious as to how long it will take EBay to notify the affected users. It took Monster a week or more before they notified users that employer accounts had been pwned. *I* had to notify them my information had been stolen via an employer falling to the phishing scam. I just hope EBay is more upfront.

Re:Fraudster?

[Frigga's Ring]

While what you said makes sense, it's really a cold comfort when you consider the personal information at risk. The hacker could have posted it in the forums just to cause chaos or for a hundred other reasons. If it was merely used as a warning that eBay's security is lacking, they could have done it through an e-mail to the administrators or to a reputable news site.

Re:When will EBay notify?

[Shihar]

At least in the case of Monster.com, the only thing taken was the stuff you could have gotten off anyone's resume. Sure, that can help a phishing scam, but it isn't the end of the world. This is far far bigger. Having credit card numbers stolen is a very big deal. If those 1200 posted were all that was stolen, then this will just be a minor inconvenience. E-bay will contact everyone and get those numbers promptly canceled. If on the other hand the 1200 posted numbers were just a display and proof that the hack had happened and that there were more stolen, then there is a very serious problem.

Even as it stands, unless E-bay can show beyond a shadow of a doubt that only those posted were the ones stolen, anyone credit card number that e-bay has should be held as suspect for potentially having been stolen. Ebay has really dropped the ball. It will be interesting to see how they scramble to deal with this.

No big deal.

[mckinnsb]

1) It's a kid. 2) He might not have even gotten the CC#'s out of eBay's internal servers. In fact, I bet he didn't, and he was evesdropping on another network. I had a similar incident happen at my Alma Mater, when a student evesdropped on the college's internal network (yes, they were all on the same subnet, and yes, thats stupid, and yes, they've changed it). 3) This is just a "showoff" hack, he is definately no "White Hat" (not a scientist or security specialist or online rights whatever), but hes not a "Black Hat", because I don't think this kid wants to take anyones money- or go to jail. Lets call him a "Clown Hat". 4) Uh, its eBay? Why do eBay and "fraud" suddenly seem uncompatible :)

1200 posted but where ALL accounts compromised?

[Anonymous Coward]

They article says they posted 1200 online, but I wonder if ALL account where compromised and only 1200 where posted.

Re:Fraudster?

[StillNeedMoreCoffee]

I don't know, which is worse. Someone that tries to steal your identity and possibly get caught and go to prison and/or pay fines, or someone that posts your personal identifying information on a hugely public site so hundreds maybe thousands of people can take and use that information. I would guess that the information got out in the hacker community quickly and they all made copies of that information.

This kind of behaviour is reprehensible. If you wanted to let EBay know they have a security problem, tell them, anonomously if you must, but posting other peoples indentifying information is like shooting an automatic weapon into a crowd of innocent people. I think along with fines, restrictions and imprisonment, spanking should be added to the list of punishments for this type of behavior.

Re:Fraudster?

[htricia]

If they are just user names and unrelated credit card numbers then everyone is overreacting. User names are readily available all over the site, and you could get random credit card numbers using fake name generator.

Re:hacked?

[KevMar]

thankyou double click for making this one happen.

They have an open redirector that anyone can use to help hide the destination url.

Normaly I would blast someone for posting fishing links on other webpages, but I would trust slashdot users to not fall for it

Re:Virtual credit card

[ShatteredArm]

Do these cards affect your credit score? I know when calculating your score they consider (a) how many new lines of credit you've opened in the last couple of years, (b) how many maxed out cards you have (or how many are over 75% or so), and (c) the average length of time you've had each of your cards. It would seem like getting a disposable card would hurt you in all three areas.

Re:Fuck you. My account has been fucked over.

[Mister Whirly]

"To all the people that are playing this down: Fuck you. Fuck eBay, too."

And to you I would say - stop being so lazy and using the same passwords for all your important financial accounts. If your account really did get drained, it is at the very least partially your fault for not using unique, strong passwords. How is ebay responsible for your lack of security planning??

I wonder ...

[golodh]

Strictly speaking, in an ideal world, you'd copy the list to Ebay, and they would *immediately* block all accounts on the list, contact all affected customers telling them their credit-card data plus contact information has been compromised, that they should change their credit-card number at once, that they would be willing to speak to their credit-card company to explain what happened and absorb any fees the credit-card company charges to issue a new card, help them to create new Ebay logins, and report the breach of their security to the CERT and the FBI. And we all trust Ebay to do all of that on their own initiative, right?

Given that Ebay's response is along the lines of "It's a hoax, our security is fine, don't worry" I really wonder if keeping things like this under wraps is enough to keep companies like Ebay honest. I'm not optimistic since any admissions on their part cost them money, dent their public image, may cost them customers, and could make them easier to sue in case accounts are abused (either before or after the data becomes public).

Of course it's irresponsible to publish this sort of information (credit-card numbers, contact details) on the web. And yes ... perhaps there should be an independent authority (e.g. the police, the FBI) where you can go with your information and be certain that action will be taken instead of making it accessible to the world and his dog.

In the absence of a clear-cut authority to report to I'm still not quite convinced that the "shock-and-awe" effect of bluntly putting the data on the web isn't needed to prod Ebay into action to take measures.

Re:Fuck you. My account has been fucked over.

[Mister Whirly]

And if you hadn't fucked up, they wouldn't know your Gmail and PayPal passwords. Besides, you don't have any concrete proof that this is related to the Ebay postings do you? Did it ever occur that you password may not be that strong and was simply guessed or brute-forced? Could be a coincidence. Only 1200 out of the millions of Ebay accounts were even posted.

EBay's behavior is consistently reprehensible.

[expro]

This kind of behaviour is reprehensible. If you wanted to let EBay know they have a security problem, tell them, anonomously if you must, but posting other peoples indentifying information is like shooting an automatic weapon into a crowd of innocent people. I think along with fines, restrictions and imprisonment, spanking should be added to the list of punishments for this type of behavior.

It is EBay's behavior that is reprehensible. We have no evidence whether or not the person tried to tell EBay, but, based on my experience, EBay would do nothing whatsoever about it, other than perhaps try to harass the person who tried to report it. So how else should someone let people know how reprehensible EBay's so-called security is, not to mention their many other policies allowing customers to be abused by merchants?

Fortunately for EBay, there are a great many fools left who continue to use their service

Re:Just beautiful.

[ivan256]

According to my user profile, they don't have my phone number.

Maybe they could get it from my credit card company, but if they did my credit card company would be losing my business.

CC numbers are probably valid

[e-scetic]

The Register contacted at least two of the people whose info was posted and they confirmed their accounts had been hacked.

See the story here [theregister.co.uk].

As for the credit card numbers not belonging to the people affected my first thought was the hacker posted the correct contact info but, perhaps to be benevolent, scrambled the credit card numbers. In other words, the card numbers displayed are correct but they're just shown as belonging to someone else. eBay may be realizing this now when they search their databases for the people those numbers really belong to.