Ebay Hacked, User Info Posted

An anonymous reader writes "This morning a hacker posted the personal contact information and credit card data of 1,200 ebay users on the eBay.com Trust & Saftey forums. eBay pulled the Trust & Safety forums off line, but not before one user made a video of the hacked forums and posted it on youtube.com. eBay response is on the eBay chatter page, and seems to try and down play this "fraudster"'s activity."

Fraudster?

[Hatta]

If he posted the info to eBay, it's unlikely he's interested in fraud. The hackers you have to worry about are the ones you never find out about.

Re:

[Frigga's Ring]

While what you said makes sense, it's really a cold comfort when you consider the personal information at risk. The hacker could have posted it in the forums just to cause chaos or for a hundred other reasons. If it was merely used as a warning that eBay's security is lacking, they could have done it through an e-mail to the administrators or to a reputable news site.

Re:Fraudster?

[billcopc]

Anyone who's ever submitted such "well-intended" reports, sometimes they get a "thank you" and the problems get fixed, but more often there is resistance and hostility. Now this is pure speculation, devil's advocate if you will, but what if the hacker had already tried to contact eBay and was rebuffed, or perhaps he (or his client) was the victim of fraud as a result of eBay's poor security and this was retaliation.

Sometimes, when someone doesn't listen to your kind advice, you have to make them listen.

Re:Fraudster?

[Judebert]

Ebay claims in TFA that the information was incorrect. In short, it's just a fraud, a scam, an attempt to get Ebay tech support and its customers riled up.

Re:

[mr_mischief]

What if the posts are real and really from those accounts, but the guy changed the credit card info to shield the users a bit. The personal information is bad, but valid credit card numbers would be worse. The guy claims over on YouTube that he just wants to wake eBay up, and that he's not out specifically to hurt the users.

All that said, if this guy's just a phisher, it's nothing about eBay's security to blame here. It's the stupid phish that took the bait.

Re:

[Judebert]

Yes, my original post was poorly worded (stop modding it up! I just referenced the original article, for the love of $DEITY!). I reserve judgement on whether this is a hoax or a problem.

If it's a problem, it's nasty.

If he's a phisher (or other scammer), I'm mildly impressed with his social engineering, but not worried for my identity.

NOT A FRAUD!!

[jfuredy]

I have no incontrovertible proof that it came from eBay, but the credit card that I have on file for eBay was compromised two weeks ago. There were several unauthorized online charges on my account. When it happened I had no way of knowing where the info leaked from. But now, two weeks later, I find out that all of my eBay user account information is available on the internet?!?

I WOULD SAY THAT THIS IS NOT A COINCIDENCE, AND THAT THERE WAS AN ACTUAL MALICIOUS HACKER ATTACK.

If you watch some of the videos

Re:

[Judebert]

I keep up on my security info and I do not trust ANYONE on the internet that I have not personally met in the flesh.

What in the world do you do on eBay? ;)

My original post was poorly worded; I reserve judgement on whether this is actually a fraud or a real problem. Ebay claims the post was a hoax.

That said, remember what Heinlein points out in Door Into Summer: we forget what people like us really ought to know. Statistics may tell us how extremely unlikely something is to happen, but it just as surely asserts that it does happen. Your info could have been swiped by other means, and this is just a coincidence.

Re:

[Smauler]

I do not trust ANYONE on the internet that I have not personally met in the flesh.

Like the previous poster said, what on earth do you do on the internet? I personally have never met _anyone_ in the flesh from computer suppliers I've bought from. The trust that I give them is because of their reputation and because of previous dealings, no more. I don't honestly understand why meeting them in the flesh would make a difference to that.

If there is a brand new start up company you are willing to take a c

Re:

[UncleTogie]

I would, but I can't keep on buying new wallets all the time.

You get a new wallet every time you buy disposable panties?

Of course they would say that...

[RealityThreek]

If those are live credit cards, they would want to ensure as few people as possible would try to use them.

Re:Fraudster?

[StillNeedMoreCoffee]

I don't know, which is worse. Someone that tries to steal your identity and possibly get caught and go to prison and/or pay fines, or someone that posts your personal identifying information on a hugely public site so hundreds maybe thousands of people can take and use that information. I would guess that the information got out in the hacker community quickly and they all made copies of that information.

This kind of behaviour is reprehensible. If you wanted to let EBay know they have a security problem, tell them, anonomously if you must, but posting other peoples indentifying information is like shooting an automatic weapon into a crowd of innocent people. I think along with fines, restrictions and imprisonment, spanking should be added to the list of punishments for this type of behavior.

I wonder ...

[golodh]

Strictly speaking, in an ideal world, you'd copy the list to Ebay, and they would *immediately* block all accounts on the list, contact all affected customers telling them their credit-card data plus contact information has been compromised, that they should change their credit-card number at once, that they would be willing to speak to their credit-card company to explain what happened and absorb any fees the credit-card company charges to issue a new card, help them to create new Ebay logins, and report the breach of their security to the CERT and the FBI. And we all trust Ebay to do all of that on their own initiative, right?

Given that Ebay's response is along the lines of "It's a hoax, our security is fine, don't worry" I really wonder if keeping things like this under wraps is enough to keep companies like Ebay honest. I'm not optimistic since any admissions on their part cost them money, dent their public image, may cost them customers, and could make them easier to sue in case accounts are abused (either before or after the data becomes public).

Of course it's irresponsible to publish this sort of information (credit-card numbers, contact details) on the web. And yes ... perhaps there should be an independent authority (e.g. the police, the FBI) where you can go with your information and be certain that action will be taken instead of making it accessible to the world and his dog.

In the absence of a clear-cut authority to report to I'm still not quite convinced that the "shock-and-awe" effect of bluntly putting the data on the web isn't needed to prod Ebay into action to take measures.

Re:

[Fred Ferrigno]

Given that Ebay's response is along the lines of "It's a hoax, our security is fine, don't worry" I really wonder if keeping things like this under wraps is enough to keep companies like Ebay honest.

So what should eBay do when it really is a hoax? There are plenty of assholes who would do exactly this sort of thing just to have a laugh at eBay (and Slashdot for talking about it). eBay's story is far from implausible. If they're lying and it isn't a hoax, it'll come out very soon. Then they'll catch even more shit for lying about it.

EBay's behavior is consistently reprehensible.

[expro]

This kind of behaviour is reprehensible. If you wanted to let EBay know they have a security problem, tell them, anonomously if you must, but posting other peoples indentifying information is like shooting an automatic weapon into a crowd of innocent people. I think along with fines, restrictions and imprisonment, spanking should be added to the list of punishments for this type of behavior.

It is EBay's behavior that is reprehensible. We have no evidence whether or not the person tried to tell EBay, but,

Re:Fraudster?

[PalmKiller]

They called him a fraudster because the credit card info did not match the users card info, so they think its just a fake attempt to scare ebayers.

Re:Fraudster?

[htricia]

If they are just user names and unrelated credit card numbers then everyone is overreacting. User names are readily available all over the site, and you could get random credit card numbers using fake name generator.

Re:

[kd5ujz]

This site has info on how to validate/create credit card numbers.

Re:Fraudster?

[kd5ujz]

Jumped the gun a little, here is the site
http://www.beachnet.com/~hstiles/cardtype.html [beachnet.com]

When will EBay notify?

[charleste]

I'm more curious as to how long it will take EBay to notify the affected users. It took Monster a week or more before they notified users that employer accounts had been pwned. *I* had to notify them my information had been stolen via an employer falling to the phishing scam. I just hope EBay is more upfront.

Re:When will EBay notify?

[Shihar]

At least in the case of Monster.com, the only thing taken was the stuff you could have gotten off anyone's resume. Sure, that can help a phishing scam, but it isn't the end of the world. This is far far bigger. Having credit card numbers stolen is a very big deal. If those 1200 posted were all that was stolen, then this will just be a minor inconvenience. E-bay will contact everyone and get those numbers promptly canceled. If on the other hand the 1200 posted numbers were just a display and proof that the hack had happened and that there were more stolen, then there is a very serious problem.

Even as it stands, unless E-bay can show beyond a shadow of a doubt that only those posted were the ones stolen, anyone credit card number that e-bay has should be held as suspect for potentially having been stolen. Ebay has really dropped the ball. It will be interesting to see how they scramble to deal with this.

Re:

[fistfullast33l]

It's funny - a friend of mine told me last week her email account was hacked into and someone was sending fake emails from her account. I thought she was crazy at the time because she thought that eBay had something to do with it. Now, I'm beginning to believe her.

How could the hacker have gotten her email password from eBay though? That was the part that sounded fishy (or phishy?) to me.

Re:

[mr_mischief]

Lots of email worms and trojans are written to be able to send through Outlook Express. They get on your system and send email through whatever outgoing account you have to whoever is in your address book. I'd suggest a virus and spyware sweep of your friend's computer, as it might be part of a botnet.

It's also pretty easy to get into any webmail account that doesn't use SSL for login credentials. Don't use webmail that doesn't encrypt your password.

It's also pretty easy to sniff plain-text usernames and pa

Re:

[profplump]

It's also dead easy from many mail servers to just put the wrong From: header in -- this often is as easy as changing your settings in Outlook Express or Thunderbird to say you're someone else. If your SMTP server doesn't require -- not allow, but _require_ -- you to authenticate, this is often allowed. Switch ISPs or use an independent mail provider if this is the case.

SMTP AUTH does not necessarily prevent the use of invalid FROM headers. It's possible to setup such policies, but in general it's a bad ide

Re:

[mr_mischief]

Using another mail server for my mail server's domains is a different problem and requires a different solution. SPF is one increasingly popular way to deal with that.

Anyone using role-based email should be sending from the role-based email. You're not going to respond to support@domain.com if I send you an email from bobroberts@domain.com, now are you? Just authenticate as support@domain.com, or have your policies set up to allow more than one account to map to a valid From: header for support@domain.com i

Re:

[Spy der Mann]

It's funny - a friend of mine told me last week her email account was hacked into and someone was sending fake emails from her account.

Two words: Fake headers.
Anyone can put your name and e-mail address in the "From:" field from an e-mail. It's SPAM 101. Matching your name with your e-mail just requires more work (like data harvesting), but I would never consider it "hacking an account".

Re:

[fistfullast33l]

Yes, I'm aware of fake headers - but the way she caught the supposed break in was that her web client (not sure which one) showed the sent emails, which would suggest to me that someone had sent the emails directly through her email service. If someone was spoofing headers, something like Yahoo wouldn't have any record of it, unless the email bounced back.

Re:

[fistfullast33l]

I told her to change her password. I see your point about the SMTP server connection, but wouldn't you connect to the receiving server, not the sending? So if I had a yahoo account and wanted to email hotmail or whatever, I'd connect to hotmail, not yahoo, and then send fake headers. Right? That was my understanding of how that attack worked. She could see the sent emails in her client, so I assumed that it probably wasn't this kind of attack.

Re:

[fistfullast33l]

Yeah you just reminded me, she told me the passwords were the same. Doh!

Re:When will EBay notify?

[bitt3n]

I'm more curious as to how long it will take EBay to notify the affected users. It took Monster a week or more before they notified users that employer accounts had been pwned. *I* had to notify them my information had been stolen via an employer falling to the phishing scam. I just hope EBay is more upfront.

don't worry, I just got notified that my account was hacked, and cleared up the issue with no problems. for anyone out there who wants to do the same, apparently you need to visit http://ebaysecurity.ru/ [ebaysecurity.ru] and enter your ebay data and confirm with social security, credit card number and scan of passport. it only took me about 5 minutes. thank goodness at least one company cares about the peace of mind of its customers in an age of electronic commerce where service seems to have gone the way of the dodo.

Re:

[charleste]

LMAO! You made me snort coffee out my nose.

Re:

[zookie]

I just hope no one moderates the parent post as "Informative".

Re:

[gnuman99]

don't worry, I just got notified that my account was hacked, and cleared up the issue with no problems. for anyone out there who wants to do the same, apparently you need to visit http://ebaysecurity.ru/ [ebaysecurity.ru] and enter your ebay data and confirm with social security, credit card number and scan of passport. it only took me about 5 minutes. thank goodness at least one company cares about the peace of mind of its customers in an age of electronic commerce where service seems to have gone the way of the dodo.

Well,

Whitehat?

[Applekid]

1200 seems kind of low for the kind of community ebay's got.

So I wonder: are these 1200 users the kinds of people who post up an auction for a picture of a coveted item hoping to scam someone out of buku bucks? Are these users that took the money and ran? Or are these legitimate users caught in a genuine hack?

Can't watch the video, and the ebay PR rundown doesn't (and wouldn't) say, but since ebay happily protects fraudulent sellers and refuses to give defrauded buyers any means to recover their losses from the scammers it seems to me like this has potential to be a hacktivism move.

Re:

[p0tat03]

scam someone out of buku bucks

It's "beaucoup"... *cue More You Know rainbow*

am I affected?

[Speare]

Is there a listing of each ID that is affected? Or do we have to trust eBay to send out the usual 1-year-of-credit-watch "protection" to each affected party?

Virtual credit card

[Big Nothing]

Perhaps a tad off topic, but a great tip nonetheless: check out the "virtual credit cards" you can get nowadays, they're excellent for protecting yourself from all kinds of online problems. The card works much like a disposable e-mail address; you create a virtual card with a unique card number that only exists for a very limited time and that has a defined (read: small) limit. You use that one-time card number to pay for the product you want and dispose of the card afterwards (or rather: forget all about the card afterwards). If someone hacks eBay and finds your number they'll never be able to get any money from it since the card is expired - and even if it's NOT expired, the credit (or rather debit) limit is maxed out.

I got mine for free from my bank and have used it for lots of online purchases - it's fucking awsome.

Re:

[0100010001010011]

MOD PARENT UP.

I use these things all the time online. Anything online. Even bills (I give it a 2 month expiration). Randomly generated credit cards rock.

Re:

[ShatteredArm]

Do these cards affect your credit score? I know when calculating your score they consider (a) how many new lines of credit you've opened in the last couple of years, (b) how many maxed out cards you have (or how many are over 75% or so), and (c) the average length of time you've had each of your cards. It would seem like getting a disposable card would hurt you in all three areas.

Re:

[DustyShadow]

It is most likely a number that ties to your "official" credit card number. I really doubt the credit card companies would report multiple accounts on it.

On a sidenote, some CC companies will allow you to disable online purchases unless you call in to approve it first. One of mine turned that on without asking me and I kept getting a denial until I called in and they told me that I had to approve it first over the phone.

Re:Virtual credit card

[0100010001010011]

No. I officially have 1 "Card". When I want another card I login to Citicards.com and go to the VAN (Virtual Account Number). They have a Flash online version or a 'local' version for XP. You then get a credit card number is defaulted to expire the next month. Even if it's the last day of the month (it's designed to be used immediately). The numbers can only be used once and you can additionally set up a limit on how much money the card is limited to and in how long it should expire. I usually just accept the defaults with reputable businesses. If the website looks a bit shady, I can limit the useage to Cost + $1.

Everything is tied to your main account, but if 'they' get the temp number, it's useless. It doesn't count towards having a new line of credit, maxing out your card (unless you max out your Account) or how long you've had the card. I think in the last year I've made 100+ of them. Used for everything for bills (Who in their right mind would send valid credit card information though the mail, then they have *everything*) To online orders.

Re:

[llefler]

Do these cards affect your credit score?

No, they won't effect your credit score because they don't show up on your credit report. They aren't new lines of credit, they are linked to your regular credit card account. On the ones that I have used; you log into the bank's website and use your regular account to authorize a transaction tied to a specially generated credit card number. I use them from time to time to deal with merchants that I have never dealt with before.

No big deal.

[mckinnsb]

1) It's a kid. 2) He might not have even gotten the CC#'s out of eBay's internal servers. In fact, I bet he didn't, and he was evesdropping on another network. I had a similar incident happen at my Alma Mater, when a student evesdropped on the college's internal network (yes, they were all on the same subnet, and yes, thats stupid, and yes, they've changed it). 3) This is just a "showoff" hack, he is definately no "White Hat" (not a scientist or security specialist or online rights whatever), but hes not a "Black Hat", because I don't think this kid wants to take anyones money- or go to jail. Lets call him a "Clown Hat". 4) Uh, its eBay? Why do eBay and "fraud" suddenly seem uncompatible :)

Re:

[oztiks]

Hmmm ... 1,200 times say $1,000 (avg credit limit most people are much higher and some lower)

Lets see that comes too roughly $1,200,000.

Yes no big deal, i can see Visa and Mastercard overlooking that type of liability.

If it was a man in the middle attack like you suggest this creates larger problems to the e-commerce industry as a whole. I'm hoping it came from eBays internal servers, a patchable security fault will make me sleep better.

This is simply the beginning of how websites becoming major targets for

Re:

[DrWhizBang]

Lets call him a "Clown Hat"

Yes, in fact, I think I will do that. You sir, have just added some nice new jargon to my vocabulary. Many thanks!

Re:

[Mister Whirly]

"To all the people that are playing this down: Fuck you. Fuck eBay, too."

And to you I would say - stop being so lazy and using the same passwords for all your important financial accounts. If your account really did get drained, it is at the very least partially your fault for not using unique, strong passwords. How is ebay responsible for your lack of security planning??

Re:

[Mister Whirly]

And if you hadn't fucked up, they wouldn't know your Gmail and PayPal passwords. Besides, you don't have any concrete proof that this is related to the Ebay postings do you? Did it ever occur that you password may not be that strong and was simply guessed or brute-forced? Could be a coincidence. Only 1200 out of the millions of Ebay accounts were even posted.

Re:

[SleepyHappyDoc]

(same password because I have poor memory)

It sucks that this happened to you. But you allowed it to happen, when you chose convenience over security. I guess now you know why that's a bad idea.

Re:

[Mister Whirly]

"Why does "uncompatible" suddenly seem like it's not a word?"

Uncompatible not a word? That's unpossible! (with apologies to Ralph Wiggum)

alphabetical

[htricia]

According to the youtube video it seems as though only those with usernames starting with a,b,j,k were effected.
Chances are I am wrong, but if thats the case then that narrows the list down, and I wouldn't have to worry.

hacked?

[koogydelbbog]

are they sure ebay itself was hacked?

i only ask because i had a better-than-usual phishing attempt this morning telling me my ebay account had been 'restricted' and it wouldn't be too hard to harvest 1200 passwords from the above without hacking ebay itself.

email text:

"A33 TKO NOTICE: Restricted Account Access

We have taken steps to secure your eBay account, including review of your
personal information and placing a temporary restriction on your account. Any
activity has been cancelled and any associated fees have been credited to your
account. We assure you that your credit card and bank details are stored on a
secure server and cannot be viewed by anyone.

Your account is currently blocked from listing and bidding on items, and from
sending email through Ask Seller a Question or Contact eBay member. To restore
full access to your account, please follow the instructions in this email."

login to your account link was:
http://us.ebayobjects.com/2c;13012399;10693575;h?http://61.9.146.244/signin.ebay.co.uk/ws/?eBayISAPI.dll?co_partnerid=2&siteid=0&UsingSSL=1 [ebayobjects.com]

ie it had a susipicious 2nd address in url, one which resolves to australia

Re:

[speaker of the truth]

I entered in "ausername" and "apassword" to see what page it takes me to and it asks for my name, address, credit card number, etc. If someone is stupid enough to put in their address, surely they're stupid enough to put in the correct credit card?

Re:

[KevMar]

thankyou double click for making this one happen.

They have an open redirector that anyone can use to help hide the destination url.

Normaly I would blast someone for posting fishing links on other webpages, but I would trust slashdot users to not fall for it

Re:

[tlhIngan]

The question is, what does "TKO" stand for? I notice a *LOT* of phishes all have that somewhere (usually in the subject as "TKO Notice:" in them. You'd think most eBay phishes would use plain English, and not techie words like "TKO" (to which I don't know what it means).

BTW, according to eBay, all email from them includes your eBay username in them. (Likewise, from Paypal, which will have your real name in them and in the To header). For eBay, that's public information (except the username to e-mail address

Re:

[DieByWire]

i only ask because i had a better-than-usual phishing attempt this morning ....

It was a better than usual phish (of course, a lot a pretty bad). Netcraft Toolbar [netcraft.com] for FF caught it, though. It would be interesting to know how long it took for Netcraft to identify it as a phish.

Re:Firefox reports..

[Technician]

Firefox reports the page in your link as a reported forgery. I like Firefox. I'm surprised it has not made it to the scrubit filtered DNS yet.
Will, it's time to fill in another phishing page with garbage. Woo Hoo!
 

Re:

[HarvardAce]

I was just looking at a list of usernames [shenemanfamily.com] that were allegedly hacked. One of the things I noticed is that there are several odd usernames that appear one or two times that are only off by a character. This would make me think that this would be the result of a phishing attempt where users typoed their username on the phishing site.

One point to be made--

[Donniedarkness]

Ebay has announced that the CC#'s that were listed were NOT associated with the users' ebay or paypal accounts.

The guy had to have either:

A) Made them up

B) Gotten them somewhere else.

Regardless, he's just a troll trying to create bad press for eBay.

Re:

[darkmeridian]

Or perhaps eBay is incompetent or lying. This may be amazing, but hackers may actually cover their tracks so well that administrators don't even know exactly what was stolen. For example, data that is supposed to be transient may be intercepted and saved by the hacker. The administrator doesn't know what was there because the transient data was destroyed and not saved on their systems. This is almost definitely not the case here because the eBay server would have to be massively PWND but it's definitely hap

Re:

[Donniedarkness]

Well... there's that, and the fact that the guy that hosted the video on youtube is a crazy anti-ebay fanatic.

Bet 20$ none of those users had the Secure dongle

[Anonymous Coward]

I got in on the beta test and still use the ebay/paypal key dongle for my login. Makes it 100% ineffective for phishing scams to get my login.

in fact my number right now is 342498 GO and hack my account now.... oh wait. it just changed... 096443 is the new number, you got 25 seconds.

Re:Bet 20$ none of those users had the Secure dong

[FirstTimeCaller]

I got in on the beta test and still use the ebay/paypal key dongle for my login. Makes it 100% ineffective for phishing scams to get my login.

That was my first reaction too. But if they really hacked into the eBay servers and were able to get to your credit card information, well then that dongle isn't going to be of much help. Sure you're safe from them bidding for Beanie Babies on your behalf, but the credit card information is another story. Luckily, it sounds like this might be a hoax.

Lying by omission to try to remove this info

[speaker of the truth]

It is lying by omission to try to remove the information on youtube or any other website (the usernames and addresses are correct while the credit card numbers appear to be incorrect) as that would be censorship and is wrong. At least according to this anonymous coward and the mods who modded me troll. [slashdot.org] Its sad to see an example of my counterclaim up so quickly, although at least only the address is correct and it shouldn't hurt people financially (although I wouldn't want my address linked with my slashdot

Perhaps it was The Decepticons!

[mamono]

Did they post the personal info for Ladiesman217?

ebay Statement

[spacerog]

http://www.ebaychatter.com/the_chatter/2007/09/trust-safety-fo.html [ebaychatter.com]

Trust & Safety forums issue this morning

Some of our readers may have learned of an issue that occurred early this morning on one of our discussion forums. I've been talking with our Account Security and Legal teams, and I'd like to share some more details about this incident.

Very early this morning, a malicious fraudster posted on the Trust & Safety forum on eBay.com posing as approximately 1,200 eBay users. The fraudster made these posts in a way that was intended to appear as though he logged in with their accounts. The posts contained name and contact information, which appears to be valid, and could have been secured as part of an account take over.

The posts ALSO appeared to contain credit card information -- however, these credit cards are not associated with financial information on file for these users at eBay or PayPal. We're in the process of reaching out by phone to these members to, so that if the information is valid somehow -- regardless how this fraudster acquired the information -- these members can take the steps they need to take to protect themselves.

eBay and our forums vendor, LiveWorld, began taking steps to remedy the situation within an hour after it started. As things evolved behind the scenes, a decision was made to make the the Trust & Safety forum unavailable to our Community. It's still temporarily inaccessible, as the teams work on this issue.

I'll update this story later as we have more to share.

WHAT HAPPENED: Fradulent Items on eBay

[N8F8]

I'm betting that this is the other half of the story: Last night I was looking through microphones in the Pro Audio category and there was an ad with a nude chick at the top (the slot you pay extra to get you item posted to). When I clicked on the ad the FF eBay toolbar popped a warning that I was beign redirected to a fake eBay site to log in. I'm betting 1200 people didn't have the toolbar towarn them.

E-Bay response

[morcego]

eBay response is on the eBay chatter page, and seems to try and down play this "fraudster"'s activity."

I just read that response. I for one find it very professional and correct.
What did you expect ? That E-Bay would just come forward and say: "oh, we haven't fully checked on this yet, but since it was a post on the forum, we are sure it is correct, so we are confirming it".

They are investigating. They are contacting the users that are potentially affected (just in case).

They are not silent. They are not d

Here is the list of account names

[SiliconEntity]

An eBay member saved the account information that was posted before it got deleted. They have posted only the eBay account names, not any of the other data. You can look there to see if your account was one posted:

http://shenemanfamily.com/comp.html [shenemanfamily.com]

Re:

[jonnythan]

One of the account names is they_call_me_*ice*nuts*

Do you think they really call him that?

This video has been removed due to terms of use ..

[stefanlasiewski]

And now the video has been removed:

This video has been removed due to terms of use violation. [youtube.com]

Re:This video has been removed due to terms of use

[BobMcD]

And yet, if it WERE fake, why remove it?

Seems to authenticate it to me...

CC numbers are probably valid

[e-scetic]

The Register contacted at least two of the people whose info was posted and they confirmed their accounts had been hacked.

See the story here [theregister.co.uk].

As for the credit card numbers not belonging to the people affected my first thought was the hacker posted the correct contact info but, perhaps to be benevolent, scrambled the credit card numbers. In other words, the card numbers displayed are correct but they're just shown as belonging to someone else. eBay may be realizing this now when they search their databas

Re:

[jtroutman]

According to TFA, eBay is contacting all of the users that were listed.

Re:

[ivan256]

And all those e-mail messages they are sending out are getting marked as "Scam" by Thunderbird....

Re:

[ehrichweiss]

According to the article, they're using the phone, not email, to contact the users.

Re:

[ivan256]

According to my user profile, they don't have my phone number.

Maybe they could get it from my credit card company, but if they did my credit card company would be losing my business.

Just beautiful.... for Phishing

[huckamania]

Expect to receive a letter from "ebay" or "pay-pal" even if you really weren't one of the 1200.

Seriously, if you know anyone who uses ebay, let them know that email is not verified as regards the sender. My wife uses ebay on my account and I get phishing attacks thru ebay and paypal all the time. I'm sure this breach(?) will only make those phishing attacks more common and more effective.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Bigbutt]

I wouldn't mind setting up a decent webmail server for my wife however I haven't been able to find something that's simple and easy to manage without leaving the front door wide open. I haven't looked recently though. Maybe it's time to surf again and see what's out there.

[John]

Real Deal EBay

[spaceyhackerlady]

I get EBay phish email all the time, and I get real EBay email all the time.

It's easy to tell them apart. EBay never ask for credit card information (they don't have it); the phishers always do. EBay know my name, and use it. The phishers don't.

...laura

Re:

[Technician]

It's easy to tell them apart.

I have two ways to tell them apart.

1 I don't have an eBay account. They are all phish. I love seeding their database with garbage.
2 Filtered DNS. Phishing sites are quickly reported and filtered. Most of my attempts to feed their database garbage results in a "this page has been scrubbed" page instead.

http://scrubit.com/ [scrubit.com]

There is no software to download or install. It's simply a free filtered DNS service.

Re:

[HTH NE1]

I've forgotten my eBay password and I no longer possess the e-mail address with which I registered (change of ISP).

I may be safe though as the account dates back to before PayPal, I never gave eBay my credit card information, and I wasn't a seller... right?

Re:Just beautiful.

[digitig]

"We're in the process of reaching out by phone to these members to, so that if the information is valid somehow -- regardless how this fraudster acquired the information -- these members can take the steps they need to take to protect themselves."

"Hello, this is eBay. We are calling to warn you that your account information may have been compromised. But before I go any further, I just need to confirm some security details. Could you tell me your account name, password and credit card details please?"

Re:

[Ragein]

HAH Just wait for the email from eebai@yahoo.com and confirm your credit card details there... well atleast that way you know which ones have been compromised

Re:

[dpaton.net]

eBay holds credit card information to bill users directly for auction insertion and listing fees. That's been done since the late 90s, before the Paypal takeover. They also use it to verify shipping addresses and contact information as I recall.

Re:

[tomknight]

What you're missing is this: Reading The Fucking Article.

"The posts contained name and contact information, which appears to be valid, and could have been secured as part of an account take over. The posts ALSO appeared to contain credit card information -- however, these credit cards are not associated with financial information on file for these users at eBay or PayPal. "

Re:

[krgallagher]

"What you're missing is this: Reading The Fucking Article."

Very interesting. I received an obvious phishing attempt in email yesterday pretending to be from eBay. It took me to a site that looked just like the front page of ebay.com with my email already in the login name. Naturally I did not log in, because the URL was not eBay. Still I wonder how many people did give out their account password and if this is the source of the "account take over" that seems to be the source of this information. It am

Re:

[Bigbutt]

So you went to the fake site? I don't even do that as I figure it's a totally hostile site and could infect, inject, neglect, and do all sorts of mean nasty ugly things to my system. Assuming main system usage vs a sandbox box of course.

[John]

Re:

[Phil246]

ebay owns paypal

Re:

[drxenos]

You must have a credit card on file to use their "buy it now" feature.

Re:

[drxenos]

They much have changed the policy. When I first started using it several years ago, you had to.

Re:

[drxenos]

From eBay: http://pages.ebay.com/help/buy/how-buy-bin.html [ebay.com]
"You must also have either a credit card (or debit card) on file or ID Verify." So, I assume you must have the later?

Re:

[drxenos]

Probably. I remember having to do it before they bought out PayPal. I remember yelling at them because they "stored" your credit card info. They would delete it when I asked, but would just store it again the next time I used "buy it now." Eventually I just gave up asking. I'm glad they changed their policy.

Re:

[ichthus]

Nope. I pay for listings and sales through paypal.

Re:

[WebHostingGuy]

Because a screenshot can be easily faked. Posting a video so quickly after it happened gives credence that the hack was real as it takes longer to fake a video, and the longer the video the longer it would take to fake. Immediately post a video of a hack and you are sure that the video was messed with (unless the video was made prior to the hack, but that's another story).

Re:

[AJWM]

What about a video of a faked screenshot?

Re:

[Panaflex]

Argh... Sarbanes-Oxley, I hate that spelling...

Re:Microsoft-IIS/5.0

[Anonymous Coward]

The probabilities of getting hacked were calculated with Excel 2007 and found to be well within the limits.

Mod parent up!

[saibot834]

Exiting news: Through a CGI-script, you can browse on the server of adobe:
here [adobe.com] (this has just been disabled a few minutes ago)
According to heise (German) [heise.de], you were able to get adobe's private RSA key (which is not much used though) and there are also rumors that they got the private SSL-key.

Re:How about "eBay not hacked,you morons" as headl

[HarvardAce]

2. DON'T click on any links from PayPal or eBay emails. Just type the site into your browser! https://www.paypal.com/ [paypal.com] Let's be safe people!

Am I the only one who finds it ironic that you included a link to paypal in your rant about not clicking on links to paypal?