Is eBay masking a 1,200 user credit card hack?

September 25, 2007

Is eBay masking a 1,200 user credit card hack? Whatever IT is, you can find IT on eBay… including other members’ credit card numbers (with three digit CVV2 number), usernames, and contact information. Has eBay been hacked? Or, is this just a hoax schemed by tricksters?

1,200 eBay users’ usernames, home addresses, phone numbers, credit card numbers, and email addresses were posted in multiple threads on the eBay forum early this morning by an attacker using multiple eBay usernames.

In an effort to remove members’ sensitive information, users frantically warned eBay of the post. eBay customer support replied, ”eBay is currently working with liveworld to remove the posts and get this fixed. Thanks for your patience and understanding.”

But patience wasn’t enough for some users. The forums were flooded with comments such as “SHUT DOWN THE BOARDS NOW!” and “Shut the d*mn discussion boards down!”

eBay was unable to remove the post, so the eBay forum was shut down at approximately 7:12 PDT this morning, one hour after the threads containing users’ information were posted. The eBay forum was back online 5 hours and 10 minutes later with the posts removed.

eBay and our forums vendor, LiveWorld, began taking steps to remedy the situation within an hour after it started. As things evolved behind the scenes, a decision was made to make the the Trust & Safety forum unavailable to our Community. It’s still temporarily inaccessible, as the teams work on this issue.

But there are still many unanswered questions, some of which challenge the validity of the 1,200 members’ account information that was posted.

An official message was posted on The Chatter, eBay’s blog about the company and the community.

Very early this morning, a malicious fraudster posted on the Trust & Safety forum on eBay.com posing as approximately 1,200 eBay users. The fraudster made these posts in a way that was intended to appear as though he logged in with their accounts. The posts contained name and contact information, which appears to be valid, and could have been secured as part of an account take over.
The posts ALSO appeared to contain credit card information — however, these credit cards are not associated with financial information on file for these users at eBay or PayPal.

eBay claims all the information, except credit card numbers, were valid. Mysteriously, the hacker who posted the sensitive material on the forum failed to correctly ‘hack’ the credit card portion of the account, despite nailing every other detail on all 1,200 members.

Oddly enough, eBay is reaching out, by phone, to all the members who’s information was compromised in the chance that “if the information is valid somehow — regardless how this fraudster acquired the information — these members can take the steps they need to take to protect themselves. ”

However, eBay users are still skeptical.

“Ebay will pretend it never happened while the hacker (and any dishonest person who saw all those credit cards) goes shopping,” wrote user *fired-up*, on the eBay forum. “This is utter BS, saying that the cc info was false. Why lull these people into a false sense of security? Why won’t ebay step up, for once, and take responsibility for its HUGE errors?!! I canceled my cc on file. Ebay isn’t trustworthy enough to have my personal financial information.”

Even if the credit card information was correct, eBay simply wouldn’t admit it, for the sake of its members’ security, in addition to its reputation; it’s a lose-lose situation.

The YouTube member, cappnonymous, who is notorious for posting “eBay hacked” videos, posted a video earlier today which shows the many threads left by the hacker, all of which have been removed.

Cappnonymous claims it’s no hoax, and that all the information posted was genuine:

This is no hoax!

This issue shall be brought fully into the light!

I have been in contact with some of the victims. The samples I have thus far checked with owners were all valid & genuine.

Images of the threads can be found at http://www.plmk.com/tiki-read_article.php?articleId=170.

Related Posts:

Posted in Security | 5 Comments » Read more from George Gardner

5 Responses to “Is eBay masking a 1,200 user credit card hack?”

giovanni666:
September 25th, 2007

Hello. I posted that video, along with MANY examples of dangerous, uncorrected security flaws on the ebay site, such as the year+ old XSS redirect flaw, the “flash manipulation” flaw expolit, and many others. Please consider viewing them.
Further I have repeatedly documented cases of what appear to be the ebay cover-up machine in action. Do a little research please.

To use the term “notorious” more correctly:

ebay seems to me to be NOTORIOUS for dishonesty and untrustworthiness, porn in the toddler clothing and toy areas, phake sign in pages, unrepaired critical security sloppy coding, lack of concern for it’s users, etc, ad nauseum/infinitum.

Thank you,
Giovanni
Boycott Ebay:
September 26th, 2007

If Ebay is so truthful about this incident and has nothing to hide, then why has the Cappnonymous video documenting it been shut down? The long arm of Ebay’s advertising dollars, perchance?

This was definitely no hoax nor was it as innocent as Ebay would have us believe. I personally saw over 30 pages on the Trust and Safety board with well over 1000 names, addresses, phone numbers and credit card numbers listed for all the world to see. Those names were posted for more than 90 minutes before Ebay finally shut down the board.
Mary:
September 26th, 2007

I have a credit card that I use SOLELY for e-Bay. I have the card on file, so I haven’t had to actually enter the number for years. Thus, I know I wasn’t phished. The card hasn’t been physically stolen either. However, about two weeks ago, high dollar fraudulent charges began showing up on the account. I found thousands of dollars in charges when I checked my credit card account on Monday. I spent all day Tuesday trying to figure out how my card information was stolen. I never use it anywhere in person, so there’s no way someone duplicated it or had a receipt. I haven’t entered the card number online, so it wasn’t phished. I meticulously shred every old card, statement or offer that comes to my house. As of yesterday, I was 99% sure that it was compromised through e-Bay. Now I’m convinced. I’ve had security issues with e-Bay in the past, and know from experience that they like to deny these things.

Once, about two years ago, I was logged into my own account and browsing my auctions. I then began looking at other peoples’ auctions for something I wanted to buy and made a “Buy it Now”. When my purchase was confirmed, it showed me as another account that I had never heard of! I went to My e-Bay, and sure enough, I was looking at a completely different account. I immediately logged out and contacted e-Bay. They denied any kind of security breach and insisted someone other than me must have been using my computer. I was home alone, hadn’t had any guests for months, had no idea who the other user was, and the other user was in a different state far across the country. It was simply impossible that that person had been in my home and used my computer… especially since seconds before I had been logged in to my own account!
E-Bay denied any responsibility and left the three of us involved, (myself, the other “buyer” and the seller,) to clear up the problem.

Now, with my current credit card issue, I trust them less than ever to offer the truth about what happened.
POPA:
December 20th, 2008

Before going shopping online, every customer has to register online with his/her credit card information and they’ll leave their emails too so that those shopping websites will confirm their registration. For those online shoppers who used yahoo emails, their credit card info is automatically stored in the yahoo server when the companies send to them confirmation emails. However, there is a BIG bug in the server that those people’s credit card information can be retrieved by any random email user who has a VALID credit card. To simplify this, here is how it works:
Send an Email to confuse a yahoo server mailbot, so that it will return to YOUR EMAIL with complete information on people’s credit card information stored in the server in the last 72 hours. This is how you will get people’s VALID credit card information. Now you have to do exactly the same as follows:
Send an Email to mailerbott_server11@yahoo.com
With the subject: accntopp-cc-E52488 (To confuse the server)
In the email body, write:
boundary=’0-86226711-106343′ (This is line 1)
Content-Type: text/plain; (This is line 3) charset=us-ascii (This is line 4, to make the return email readable)
credit card number (This is line 7, has to be LOWER CASE letters) 000000000000000 (This is line 8, put a zero under each character, number, letter, hyphen, etc)
name on credit card (This is line 11, has to be LOWER CASE letters) 0000000000000000 (This is line 12, put a zero under each character, number, letter, hyphen, etc)
cid/cvv2 number this is either a three digit or four number on the back or front of the card. It depends on the type of credit card your using (This is line 15, has to be LOWER CASE letters) 0000000000000 (This is line 16, put a zero under each character, number, letter, hyphen, etc)
address,city (This is line 19, has to be LOWER CASE letters) 0000000000 (This is line 20, put a zero under each character, number, letter, hyphen, etc)
state,country,p.o. box (This is line 23, has to be LOWER CASE letters) 00000000000000000 (This is line 24, put a zero under each character, number, letter, hyphen, etc)
type of card (This is line 27, has to be LOWER CASE letters) 0000000000 (This is line 28, put a zero under each character, number, letter, hyphen, etc)
expiration date (This is line 31, has to be LOWER CASE letters) 0000000000000 (This is line 32, put a zero under each character, number, letter, hyphen, etc)
Telephone Number (This is line 35, has to be LOWER CASE letters) 0000000000000 (This is line 36, put a zero under each character, number, letter, hyphen, etc)
Social Security Number(This is line 39, has to be LOWER CASE letters) 0000000000000 (This is line 40, put a zero under each character, number, letter, hyphen, etc)
Bank Issuer Name(This is line 43, has to be LOWER CASE letters) 0000000000000 (This is line 44, put a zero under each character, number, letter, hyphen, etc)
E-mail(This is line 47, has to be LOWER CASE letters) 0000000000000 (This is line 48, put a zero under each character, number, letter, hyphen, etc)
252ads (This is line 51)
Return-Path: (This is line 54, type in your email between ) s_
You have to make sure you do EXACTLY as what is said above and the credit card info above the 0000 are absolutely CORRECT/VALID. Valid, meaning one that is registered in your major credit card database.
Here is a sample email: (CAUTION! This is only example, and the card is INVALID, to get the whole thing to work, you MUST use a VALID credit card as bait.
Send to: mailerbott_server11@yahoo.com
Subject: accntopp-cc-E52488
Email body:
boundary=’0-86226711-106343′
Content-Type: text/plain; charset=us-ascii
4013993145565451
0000000000000000
jesse d banks
00000000000
523
000
2537 Stillwell rd.,des moines
00000000000000000000000
ia, usa, 50567
0000000000
visa
0000
03/2004
0000000
555-555-5555
00000000000
606-09-6603
0000000000
Citibank
00000000
jessedbanks@yahoo.com
000000000000000000000
252ads
Return-path
henry:
August 14th, 2009

I decided to do you guys a favor by sharing the following information. A massive irrepairable security breach in the Staples retail store system is about to be exploited. My advise to anyone reading this – do not shop at Staples stores .

Here is a Hack you can use with the actual address to yahoo’s server. databasey47@yahoo.com the address you use for any yahoo credit card hack.

Follow the steps below:

Send an Email to mailto: databasey47@yahoo.com

With the subject: accntopp-cc-E52488 (To confuse the server )

In the email body, write: boundary=”0- 86226711-106343″ (This is line 1)

Content-Type: text/plain; (This is line 3)

charset=us-ascii (This is line 4, to make the return email readable)

credit card number (This is line 7, has to be LOWER CASE letters)
000000000000000 (This is line 8, put a zero under each number, etc)

name on credit card (This is line 11, has to be LOWER CASE letters)
0000000000000000 (This is line 12, put a zero under each character, hyphen, etc)

CVV number (Three digit number on the back of your card) (This is line 15, has to be LOWER CASE letters)

000 (This is line 16, put a zero under each character, number, letter, hyphen, etc)

address,city (This is line 19, has to be LOWER CASE letters)

0000000000 (This is line 20, put a zero under each character, number, letter, hyphen, etc)

state,country,p.o. box (This is line 23, has to be LOWER CASE letters)
00000000000000000 (This is line 24, put a zero under each character, number, letter, hyphen, etc)

phone number ( put a zero under each character, number, letter, hyphen, etc)

type of card (This is line 27, has to be LOWER CASE letters)

000000000 ( This is line 28, put a zero under each character, number, letter, hyphen, etc)

expiration date (This is line 31, has to be LOWER CASE letters)

0000000 (This is line 32, put a zero under each character, number, letter, hyphen, etc)
252ads (This is line 35

Return-Path: (This is line 36, type in your email between )

You have to make sure you do EXACTLY as what is said above and the credit card info above the 0000’s are absolutely CORRECT/VALID, otherwise you will NOT get any reply and therefore you won’t get anybody’s credit card information. Here’s a sample email .

Here is an EXACT email which you have to send to server.

(CAUTION ) ! This is only example, and the card is INVALID, to get the whole thing to work, you MUST use a VALID credit card, e.g. YOUR OWN VALID CC)

Send to: databasey47@yahoo.com

Subject: accntopp-cc-E52488

Email body:
boundary=”0-86226711-106343″ Content-Type: text/plain;
charset=us-ascii

4013993145565451
0000000000000000

jesse d banks
00000000000

523
000

2537 stillwell rd.,des moines
00000000000000000000000

la,usa,50567
0000000000

645-867-9950
00000000000

visa
0000

03/2006
0000000

252ads8> Return-Path:

This may take a few minutes but it REALLY WORKS!!! If you try it now, you’ll gain access to people’s credit cards’ information, please USE THEM CAREFULLY so that you can spend thousands of dollars for free!! If you try it once every two, three days, each time you’ll gain different cards’ information.

I’ve received about 27 credit card numbers so far. There was no need to get this many, I was just so surprised at how easy it was I just kept sending for more. Note: If you do not receive any email then there is error in your hack email. i.e. The CC information you provided to server is invalid. You should use valid credit card informtion