Is eBay masking a 1,200 user credit card hack?
By George Gardner
Whatever IT is, you can find IT on eBay… including other members’ credit card numbers (with three digit CVV2 number), usernames, and contact information. Has eBay been hacked? Or, is this just a hoax schemed by tricksters?
1,200 eBay users’ usernames, home addresses, phone numbers, credit card numbers, and email addresses were posted in multiple threads on the eBay forum early this morning by an attacker using multiple eBay usernames.
In an effort to remove members’ sensitive information, users frantically warned eBay of the post. eBay customer support replied, ”eBay is currently working with liveworld to remove the posts and get this fixed. Thanks for your patience and understanding.”
But patience wasn’t enough for some users. The forums were flooded with comments such as “SHUT DOWN THE BOARDS NOW!” and “Shut the d*mn discussion boards down!”
eBay was unable to remove the post, so the eBay forum was shut down at approximately 7:12 PDT this morning, one hour after the threads containing users’ information were posted. The eBay forum was back online 5 hours and 10 minutes later with the posts removed.
eBay and our forums vendor, LiveWorld, began taking steps to remedy the situation within an hour after it started. As things evolved behind the scenes, a decision was made to make the the Trust & Safety forum unavailable to our Community. It’s still temporarily inaccessible, as the teams work on this issue.
But there are still many unanswered questions, some of which challenge the validity of the 1,200 members’ account information that was posted.
An official message was posted on The Chatter, eBay’s blog about the company and the community.
Very early this morning, a malicious fraudster posted on the Trust & Safety forum on eBay.com posing as approximately 1,200 eBay users. The fraudster made these posts in a way that was intended to appear as though he logged in with their accounts. The posts contained name and contact information, which appears to be valid, and could have been secured as part of an account take over.
The posts ALSO appeared to contain credit card information — however, these credit cards are not associated with financial information on file for these users at eBay or PayPal.
eBay claims all the information, except credit card numbers, were valid. Mysteriously, the hacker who posted the sensitive material on the forum failed to correctly ‘hack’ the credit card portion of the account, despite nailing every other detail on all 1,200 members.
Oddly enough, eBay is reaching out, by phone, to all the members who’s information was compromised in the chance that “if the information is valid somehow — regardless how this fraudster acquired the information — these members can take the steps they need to take to protect themselves. ”
However, eBay users are still skeptical.
“Ebay will pretend it never happened while the hacker (and any dishonest person who saw all those credit cards) goes shopping,” wrote user *fired-up*, on the eBay forum. “This is utter BS, saying that the cc info was false. Why lull these people into a false sense of security? Why won’t ebay step up, for once, and take responsibility for its HUGE errors?!! I canceled my cc on file. Ebay isn’t trustworthy enough to have my personal financial information.”
Even if the credit card information was correct, eBay simply wouldn’t admit it, for the sake of its members’ security, in addition to its reputation; it’s a lose-lose situation.
The YouTube member, cappnonymous, who is notorious for posting “eBay hacked” videos, posted a video earlier today which shows the many threads left by the hacker, all of which have been removed.
Cappnonymous claims it’s no hoax, and that all the information posted was genuine:
This is no hoax!
This issue shall be brought fully into the light!
I have been in contact with some of the victims. The samples I have thus far checked with owners were all valid & genuine.
Images of the threads can be found at http://www.plmk.com/tiki-read_article.php?articleId=170.
Related:
Stumble It!
Entry was posted
on Tuesday, September 25th, 2007 at 8:52 pm
under 
Print
Read more entries by George Gardner.
September 25th, 2007
Hello. I posted that video, along with MANY examples of dangerous, uncorrected security flaws on the ebay site, such as the year+ old XSS redirect flaw, the “flash manipulation” flaw expolit, and many others. Please consider viewing them.
Further I have repeatedly documented cases of what appear to be the ebay cover-up machine in action. Do a little research please.
To use the term “notorious” more correctly:
ebay seems to me to be NOTORIOUS for dishonesty and untrustworthiness, porn in the toddler clothing and toy areas, phake sign in pages, unrepaired critical security sloppy coding, lack of concern for it’s users, etc, ad nauseum/infinitum.
Thank you,
Giovanni
September 26th, 2007
If Ebay is so truthful about this incident and has nothing to hide, then why has the Cappnonymous video documenting it been shut down? The long arm of Ebay’s advertising dollars, perchance?
This was definitely no hoax nor was it as innocent as Ebay would have us believe. I personally saw over 30 pages on the Trust and Safety board with well over 1000 names, addresses, phone numbers and credit card numbers listed for all the world to see. Those names were posted for more than 90 minutes before Ebay finally shut down the board.
September 26th, 2007
I have a credit card that I use SOLELY for e-Bay. I have the card on file, so I haven’t had to actually enter the number for years. Thus, I know I wasn’t phished. The card hasn’t been physically stolen either. However, about two weeks ago, high dollar fraudulent charges began showing up on the account. I found thousands of dollars in charges when I checked my credit card account on Monday. I spent all day Tuesday trying to figure out how my card information was stolen. I never use it anywhere in person, so there’s no way someone duplicated it or had a receipt. I haven’t entered the card number online, so it wasn’t phished. I meticulously shred every old card, statement or offer that comes to my house. As of yesterday, I was 99% sure that it was compromised through e-Bay. Now I’m convinced. I’ve had security issues with e-Bay in the past, and know from experience that they like to deny these things.
Once, about two years ago, I was logged into my own account and browsing my auctions. I then began looking at other peoples’ auctions for something I wanted to buy and made a “Buy it Now”. When my purchase was confirmed, it showed me as another account that I had never heard of! I went to My e-Bay, and sure enough, I was looking at a completely different account. I immediately logged out and contacted e-Bay. They denied any kind of security breach and insisted someone other than me must have been using my computer. I was home alone, hadn’t had any guests for months, had no idea who the other user was, and the other user was in a different state far across the country. It was simply impossible that that person had been in my home and used my computer… especially since seconds before I had been logged in to my own account!
E-Bay denied any responsibility and left the three of us involved, (myself, the other “buyer” and the seller,) to clear up the problem.
Now, with my current credit card issue, I trust them less than ever to offer the truth about what happened.