Ebay Hacked, User Info Posted

An anonymous reader writes "This morning a hacker posted the personal contact information and credit card data of 1,200 ebay users on the eBay.com Trust & Saftey forums. eBay pulled the Trust & Safety forums off line, but not before one user made a video of the hacked forums and posted it on youtube.com. eBay response is on the eBay chatter page, and seems to try and down play this "fraudster"'s activity."

hacked?

[koogydelbbog]

are they sure ebay itself was hacked?

i only ask because i had a better-than-usual phishing attempt this morning telling me my ebay account had been 'restricted' and it wouldn't be too hard to harvest 1200 passwords from the above without hacking ebay itself.

email text:

"A33 TKO NOTICE: Restricted Account Access

We have taken steps to secure your eBay account, including review of your
personal information and placing a temporary restriction on your account. Any
activity has been cancelled and any associated fees have been credited to your
account. We assure you that your credit card and bank details are stored on a
secure server and cannot be viewed by anyone.

Your account is currently blocked from listing and bidding on items, and from
sending email through Ask Seller a Question or Contact eBay member. To restore
full access to your account, please follow the instructions in this email."

login to your account link was:
http://us.ebayobjects.com/2c;13012399;10693575;h?http://61.9.146.244/signin.ebay.co.uk/ws/?eBayISAPI.dll?co_partnerid=2&siteid=0&UsingSSL=1 [ebayobjects.com]

ie it had a susipicious 2nd address in url, one which resolves to australia

Bet 20$ none of those users had the Secure dongle

[Anonymous Coward]

I got in on the beta test and still use the ebay/paypal key dongle for my login. Makes it 100% ineffective for phishing scams to get my login.

in fact my number right now is 342498 GO and hack my account now.... oh wait. it just changed... 096443 is the new number, you got 25 seconds.

Comment removed

[account_deleted]

Comment removed based on user account deletion

WHAT HAPPENED: Fradulent Items on eBay

[N8F8]

I'm betting that this is the other half of the story: Last night I was looking through microphones in the Pro Audio category and there was an ad with a nude chick at the top (the slot you pay extra to get you item posted to). When I clicked on the ad the FF eBay toolbar popped a warning that I was beign redirected to a fake eBay site to log in. I'm betting 1200 people didn't have the toolbar towarn them.

NOT A FRAUD!!

[jfuredy]

I have no incontrovertible proof that it came from eBay, but the credit card that I have on file for eBay was compromised two weeks ago. There were several unauthorized online charges on my account. When it happened I had no way of knowing where the info leaked from. But now, two weeks later, I find out that all of my eBay user account information is available on the internet?!?

I WOULD SAY THAT THIS IS NOT A COINCIDENCE, AND THAT THERE WAS AN ACTUAL MALICIOUS HACKER ATTACK.

If you watch some of the videos related to the one linked above you will see that the person that posted the info to the eBay forums was just trying to get some visibility of the problem that he discovered.

Re:Fraudster?

[billcopc]

Anyone who's ever submitted such "well-intended" reports, sometimes they get a "thank you" and the problems get fixed, but more often there is resistance and hostility. Now this is pure speculation, devil's advocate if you will, but what if the hacker had already tried to contact eBay and was rebuffed, or perhaps he (or his client) was the victim of fraud as a result of eBay's poor security and this was retaliation.

Sometimes, when someone doesn't listen to your kind advice, you have to make them listen.

Re:I wonder ...

[Fred Ferrigno]

Given that Ebay's response is along the lines of "It's a hoax, our security is fine, don't worry" I really wonder if keeping things like this under wraps is enough to keep companies like Ebay honest.

So what should eBay do when it really is a hoax? There are plenty of assholes who would do exactly this sort of thing just to have a laugh at eBay (and Slashdot for talking about it). eBay's story is far from implausible. If they're lying and it isn't a hoax, it'll come out very soon. Then they'll catch even more shit for lying about it.

Me Too.

[FrameRotBlues]

I second that. Someone had tried to take $2800 out of my bank account via PayPal, lucky for me I don't have that much money, and the bank didn't pay it (but assessed me a $34 insufficient funds fee).

When I logged onto PayPal, they had all the red flags up, and required me to prove my identity and change my password, yaddah yaddah yaddah. Several days later, it came thru AGAIN, and I found a number for PayPal and gave them a call. Turns out that if my bank denies the transaction, they'll try again, just like with a check or any other purchase.

I thought my password (8 digits) was pretty good, as it was not a word and included numbers, but apparently, it wasn't. Now it's 20 digits long. My bank also made the suggestion that I get a new checking account, as those numbers may be out there as well. I think it's a good point, and I'll have to do that pretty quick.

It's not from phishing, as I can easily see which e-mails are truly from PayPal and which ones aren't. The phishing mails are full of typos, spelling errors, and repeat sentences with different information. They've gotta be done by someone who isn't fluent in the English language. It's actually pretty funny reading material. What's not so funny is that those horribly-done phishing e-mails actually fool some people. Sad state of affairs we have in the education of the country, if you ask me.

-Dave