eBay Hacked, User Accounts Disabled, No Personal Information Compromised

eBay has been hacked, says Ars Technica, and several members have had their accounts disabled. eBay’s Trust and Safety team issued a statement in which they said (adorably) that the hacker was “a known fraudster to us.”

eBay assured users that no credit card or financial information was compromised.

“This fraudster found very old administrative functions that had not been deactivated several years ago when we changed the security of our internal systems. These functions were still accessible on public servers, while the rest of our functionality is now behind multiple layers of security. We immediately identified the functions that he accessed and deactivated, and we are undergoing an audit to ensure obsolete code that may still exist for other reasons is secure.”

Recently, quite a few eBay users fell victim to a phishing scam that exposed some of their personal data, but was linked to fake credit card numbers. Some suspect that the same hacker is responsible for both of the incidents.

Hacker exploits forgotten eBay administrative system [Ars Technica]


Edit Your Comment

  1. LetMeGetTheManager says:

    Thank god a distant relative in Ghana was able to send me $10,000,000 in my name (for only a $3000 fee), I get nervous when people try to get information from me.

  2. ancientsociety says:

    Doesn’t surprise me.

    Ebay & Paypal have horrible, horrible user security. 3 months ago, my wife’s and a friend’s (separate) paypal accounts were hacked – and not through any “phishing” emails, the theives used backdoors into their accounts.

    Luckily, they only got about $50 total but it was a mess trying to close all the bank accounts and CCs associated with the accounts. And, Paypal’s “customer service” was a joke, we simply received form email responses. That was the last time any of us used Payapl or Ebay and we certainly won’t sign up for anymore.

  3. Beerad says:

    @LetMeGetTheManager: A “distant relative”? You stooge, you totally fell for a classic scam! Good thing that I’M dealing with the Nigerian Minster for Foreign Financial Programming who discovered billions in unclaimed funds in a forgotten bank account that he needs my help to recover.

  4. SaveMeJeebus says:

    @LetMeGetTheManager: You guys are both a couple of idiots. I got a real job that earns real money–not some scam. All I have to do is buy products to sell to other people to sell for me. I am my own boss and set my own hours. Everything is pure profit after I pay the guy above me. Beat that.

  5. RandomHookup says:

    Wow, I truly am in the presence of greatness. I am in awe of your Web Fu.

  6. amoeba says:

    Glad you posted this article today. I closed my ebay and paypal account a while ago. I am still receiving phishing messages. Does anyone still getting phishing messages from paypal? I do, and I am tired of reporting them without any real solution.

  7. SimonSwegles says:

    @amoeba: You already have the only solution to phishing e-mail: report and/or ignore it. There is absolutely nothing anyone can do to stop such e-mail abuse in our current legislative environment.

  8. loreshdw says:

    Ebay sucks at resolving hacked accounts. I had an account in college I used to sell used books and buy all sorts of fun stuff, but I had to stop when my shopping got expensive. A few years later I sold something for my mom through my account, then left it dormant again. Nine months later I start getting overdue notices from ebay. Someone hacked my account and ran up around $800 worth of listing fees. I contacted Ebay, and got generic emails back about how to prevent phishing. I tried sending a more detailed message, got the another generic response stating it was taken care of and I would not be charged.
    Three months later, I get a notice that my account is locked for non-payment of $80. I wrote another email detailing my previous problems, and get another email back stating I will not be held responsible for charges. After trying multiple email addresses I never got a personal response, and only talked with a human when they started calling me for debt collection. I told my whole story again, the service person I spoke with told me it was taken care of.
    Just last week a debt collection agency started calling. I hate Ebay.

  9. amoeba says:

    @SimonSwegles: you may be right, but I’m still disturbed that someone from ebay (I think so) is messing around with email addresses just to have a victim. I am not stupid to give out my personal information, but I think they are invading my territory via email. I have reported to my email server, organizations, paypal, ebay and no solution. I hope someone in consumerist will come one day with a great solution. That’ll be awesome!

  10. SimonSwegles says:

    @amoeba: I agree, it would be great if someone could come up with a reasonable solution. The crux of the problem with e-mail abuse is that e-mail is run on an inherently insecure protocol. SMTP is very easily abused, and without proprietary extension it is utterly impossible to stem the free flow of the various types of abuse e-mail. Even those proprietary extensions are not a good solution, as they require both the sending and receiving servers to be running the same extensions.
    The problem with designing a solution is that there are hundreds of thousands of public e-mail servers on the internet, and billions of e-mail clients. All currently use SMTP protocol. Any corrective change would require either a massive upgrade or migration process which will cause its own problems and interfere with business, or a weak backwards-compatible “upgrade” which will receive little industry support and cause more problems that it solves due to there then being multiple protocol systems to support (and secure).

  11. gniterobot says:

    What a bunch of idiots. Ebay contacted me way ahead of time and said if I could verify all my CC info and bank numbers they would add their “ultra” protection absolutely free.

    Looks like you all lost out on that deal…suckers.

  12. Namilia says:

    Thanks to this article, and the comments, I have just closed my Ebay account and as soon as I can I am closing Paypal too. I have been receiving those annoying spoof emails, but had no idea how bad ebay/paypal were at resolving hacked or compromised accounts. Never used it much for fear of getting scammed, but this just gives me one more reason to close an account I hardly ever used anyways (bought 2-3 things over the span of several years and that is it)

    Stinks there’s a 180 day waiting period when there is nothing outstanding…

  13. msthe8r says:

    I have somewhere in the neighborhood of 80 bazillion e-mail accounts, ONE of which has ever actually dealt with Ebay. All of the others get Ebay/Paypal phishing messages, too. That’s in addition to the phishing e-mails from around eight different banks I have never had accounts with. It’s not just you.

  14. SimonSwegles says:

    A few studies have shown that spam is profitable at ludicrously low click-through rates. Microsoft’s study determines that a spammer is profitable if 0.001% of the targeted people fall prey to their promises.
    There is only a coincidental relationship between any individual’s receipt of spam/phishing e-mail and membership in whatever business or organization is being shilled or masqueraded.