backtop

Internet 1,200 eBay Accounts Hacked
Jason Mick (Blog) - September 26, 2007 12:16 PM
Print E-mail del.icio.us 24 comment(s) - last by Scrogneugneu.. on Sep 27 at 12:20 AM
This morning eBay over 1,200 users had their credit card numbers and personal information posted for the world to see.

eBay was hit with a serious security crisis this morning. Hackers posted to the Trust & Safety forum on eBay.com personal account information of 1,200 users, including phone numbers and apparent credit information.

eBay verified that the account information was accurate and said that the posts were made to appear as if they originated from the affected users' accounts, which could indicate a possible mass account takeover.

eBay is trying to downplay the crisis by saying that the credit card information they've checked has been wrong... so far, at least. “The posts ALSO appeared to contain credit card information -- however, these credit cards are not associated with financial information on file for these users at eBay or PayPal,” said the company in a statement.

eBay's forums vendor LiveWorld has been working with eBay's security teams to try to remedy and trace the incident.

The forums are temporarily unavailable, but a user made a video of the attack posts, which has been posted on YouTube.  The video obscures the personal information, mostly, but tries to show the times of the attacks and other pertinent information.

eBay has been a frequent target of malicious behavior due to its large traffic volume and financial data.  Earlier this month DailyTech reported that security experts have been monitoring an ongoing attack on eBay by a giant bot-net.  eBay constantly has to tried to tackle these attacks and protect its customers’ information.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
This is why....
By daftrok on 9/26/2007 1:09:21 PM , Rating: 1
You should never save your credit card information online.




RE: This is why....
By Master Kenobi (blog) on 9/26/2007 1:23:43 PM , Rating: 2
Wonder if this has anything to do with the bot net attack earlier.... Otherwise a lot of people just want to hack eBay. Both could be true ;)


RE: This is why....
By 16nm on 9/26/2007 3:17:04 PM , Rating: 5
quote:
Otherwise a lot of people just want to hack eBay.


That is true. They are a huge target just like Microsoft Windows is. But, I bet Google could run a better auction system.

I for one think that if eBay is going to charge the high fees that they do for just being a "listing service" with no guarantees then I think they should get their system in order and security should be top of the list instead of new features that help drive up the ending prices of their auctions. Their priorities are out of whack.

I can not wait for Google to start their online auction service. I am going to run to them like flies to droppings. Competition is seriously lacking in this space. Things are going to change considerably once there are two or more competitors.


RE: This is why....
By tjr508 on 9/26/2007 1:33:10 PM , Rating: 2
So you suggest making the Internet ten times more of a hastle so that you can avoid a 0.01 % chance of having to cancel a card or a few charges? A little common since goes a long way.

We don't even know yet if the breech is the fault of ebay. It could have been a massive phishing attack and only the results are posted. It could have been usernames/passwords off of bogus sites that matched up to ebay and then the information was compiled.

I myself will continue to enjoy the Internet the way it was meant to be enjoyed and while I use some common since (no identical usr/pass, no untrusted sites), I will not let a few hacks intimidate me from enjoying my online experience.


RE: This is why....
By Sanity on 9/26/2007 2:48:26 PM , Rating: 3
Sorry, I wouldn't normally say anything, but you used it twice. It's common sense. Not since. Not trying to be a jerk.


RE: This is why....
By headbox on 9/26/2007 5:12:46 PM , Rating: 2
Yeah, it's common sense to spell it "common sense. "

With so many transactions per day, I'm impressed with eBay's security.


RE: This is why....
By Blight AC on 9/26/2007 1:53:45 PM , Rating: 2
Well the alternative is to transmit your Credit Card information over the internet every single time you make a transaction, which can be intercepted. It's still a risk.


RE: This is why....
By thejez on 9/26/2007 2:09:31 PM , Rating: 2
there are better ways... such as generating one time CC #'s for each purchase... there is no reason to store your CC number on any website.... this is a trend you will see go away over time as it is in fact a risk to the credit card companies and it's customers.


RE: This is why....
By Alexstarfire on 9/26/2007 2:38:11 PM , Rating: 2
The only problem with that is that where are you going to get a random credit card number for each transaction? For the most part, the internet. By that logic it's no safer than any other method. Of course they could always do what a lot of higher security places do for security.... have personal login keys that change to a random number every 1 minute. With it changing so much it'd be nearly impossible to hack it since computer power can't hack it THAT fast, yet.


RE: This is why....
By blueflash2o on 9/26/2007 3:44:25 PM , Rating: 2
You can get a multiple secure online account number "Random cc number" from discover card if you have discover card.


RE: This is why....
By Moishe on 9/26/2007 2:11:36 PM , Rating: 4
quote:
The posts ALSO appeared to contain credit card information -- however, these credit cards are not associated with financial information on file for these users at eBay or PayPal.


What this tells me is that someone got account information and CC info separately and posted them. It could easily be phishing and not a "hack" at all.

Also the fact that the "hacker" posted the names on the forum pretty much says one thing... "I could screw you, but I won't".

Giving away that kind of information removes it's usefulness and instead acts like a warning (albeit a nasty one).

I'm not saying the "hacker" did the right thing, but it's certainly not clear where the data came from, how accurate the data is, or who got "hacked".


RE: This is why....
By eek2121 on 9/26/2007 2:51:40 PM , Rating: 2
Actually, you DO store CC info online. Believe it or not it is safer. You just store it securely like we do at ConnectiveX.

1) When the user submits new credit card info it's encrypted and batched to a holding area.

2) Once a day a secure server is brought online and it downloads credit card information.

3) The said secure server cannot transmit info, only receive.

4) Server is taken offline for security reasons.

last 4 digits of CC# is kept for id purposes only.


RE: This is why....
By Etsp on 9/26/2007 5:08:38 PM , Rating: 3
If that said server cannot transmit data, then what good is it to have the data on it? the purpose of storing the data is so that it can be retrieved for future use...


RE: This is why....
By Scrogneugneu on 9/27/2007 12:20:50 AM , Rating: 2
Shhhh, you're ruining his PR speech!


RE: This is why....
By jmunjr on 9/26/07, Rating: -1
RE: This is why....
By Alexstarfire on 9/26/2007 5:03:51 PM , Rating: 2
I have one word for you: "idiot."


RE: This is why....
By afkrotch on 9/26/2007 8:17:19 PM , Rating: 2
quote:
You should never save your credit card information online.


If you have a credit card or bank account, guess what? It's already online. Thanks to the company's own servers. Think before you speak.


Hack? I doubt it...
By iFX on 9/26/2007 1:57:39 PM , Rating: 4
More likely stupid people have responsed to FAKE emails with their account information or logged into a FAKE signon screen that sometimes you see on eBay when you click an shady auction.

People are stupid, what can I say? There are TONS of people who give away their information to scammers every day without hacking of any sort...




RE: Hack? I doubt it...
By Nik00117 on 9/26/2007 2:08:46 PM , Rating: 2
I think that its a phising attack nothign more. Only 1,200 users? I mean you would expect more out of a serious hacker.


RE: Hack? I doubt it...
By Moishe on 9/26/2007 2:14:29 PM , Rating: 3
it's true... you can't really fix stupid and unfortunately many people are just so naive (and ignorant). A small percentage of those email are fairly convincing and the browsers do a decent job of warning you when phishing is suspected.

But there are millions of people and even 0.001% is still a fairly large number.


RE: Hack? I doubt it...
By Alexstarfire on 9/26/2007 2:32:57 PM , Rating: 2
I don't trust emails period, unless it's from a friend, and even then the subject has to make sense for me to even look at it. About all I trust out of the emails I get from Paypal, eBay, and the like are that they are telling me something may have happened. Unless I just purchased, or just sold something, I don't even open the emails, and even then I only open them so it says they are read. I literally just open them and then hit the back button. It doesn't even load all the way. If I get an email from Paypal, eBay, or whatnot and nothing I know of has recently happened I go straight to the site to check it out. If I login and nothing happens I just ignore it. Actually, for the most part if I get a random email from them I just ignore it.

You are right though, people are stupid. And as Ron White put it "You can't fix Stupid."


RE: Hack? I doubt it...
By kitchme on 9/26/2007 2:26:11 PM , Rating: 2
On Sep 17, I receive a message from eBay (in my eBay account, not email) that they stopped someone from breaching my account, or that someone was spamming from my account. There's no stupid people replying to fake emails here. I don't know what happened, bu