My eBay Adventure with My Account Being Hacked

[Guest mrclean0325]

To preface the following, if you have read my other posts you know I am a security and privacy advocate (or paranoid nut job - whichever you choose). Even though I go to great pains to make things as secure as possible, even I make mistakes and I made a doozy this time. So I hope you find a few lessons here to help you in the future. So grab a beverage and read what I have went through, it may be the most important thing you read today.

Yesterday morning started out like many other days. I was busy checking my email and attending to the business at hand. While checking my email I noticed I got an email from eBay. It was an "eBay Change Email Notice" and thanked me for updating my email address. It further stated if I didn't authorize this to click a link.

This is pretty standard right? These things are done to make sure you did what was done and not someone else. I have gotten them a time or two before but it was an "unauthorized attempt" other accounts and usually pretty easy to fix as you just change your password to a better one just in case. You trust the site to have these security measures in place to protect you. You also trust they have an easy to use fix for them too.

Since I did not change my email at eBay, someone had hacked my account to do it. I have not had any activity on this eBay account since 2004. I occasionally would go there and shop, but ultimately found better deals elsewhere. It did upset me since I didn't know how much of my info, or how current it was, in the account for prying eyes to access since it had been far too long since I used it for anything.

In the back of my mind I knew if someone changed my email they were, in fact, inside my account already. Who knows how long they have had access before they changed the email. Hours, days, weeks, years?

So since I didn't change my email, I clicked the link to change it back and also the password to prevent further problems. Should be easy peasy right?

I clicked the link to go to the site to report the theft of my account. Guess what? You need to login to report it and my login no longer worked. Whoever changed my email also changed my password. I should have figured as much.

After a bit of searching, struggling, and clicking links - every link in every support article required you to login to do anything to report this kind of thing. You would think a company as big as eBay would have a different way to access and report these type of things, they didn't.

Through some further digging and wasting more time for whoever to do whatever they were doing in my account, I did find a way to get into my account. I had to use my PayPal login which also linked it to my eBay account. This did give me some pause since I didn't know how the person using my account could access this information until I could get them out. I didn't have a choice at this point.

I used my PayPal account to get in and I immediately changed my password. This in itself was a chore since I had my password manager create a very long and complex new password. Unfortunately eBay does not allow you to paste in a long complex password or anything else - you have to manually type it in. You also can't see it, so one mistake and you are done to try again. So I had to come up with one I could use quickly. Ultimately I had to do this three total times.

Then as I tried to go through the layers of information to find where to change back the email address back to mine, I was kicked out of the account. Obviously the person who hacked it got an email that it was changed. I am not sure how they got back in so quickly since I had changed the password and I couldn't get in quickly or easily.

Obviously they were well aware, and very proficient at, how eBay handles theses things and how to get back into my account. They could also have a very good password cracking software to get back in so quickly. Or it was an inside job with someone who had access to the information. It could also be that eBay was compromised and hadn't told anyone or didn't even know.

So back to using my PayPal account to log back in and quickly change not only the password but the email address. I, of course, got the emails about changing my password. I also got an email that eBay did in fact put hold on my account. They said they suspected some unauthorized activity on my account.

Whoever took my account over had listed a product for sale while in the account which eBay had on hold. None of this was present when I finally took back my account.

When doing damage control, I went through my account to see what information this "person" may have had access to. The strange thing I noticed is most of the important info, besides my name and physical address, was redacted. Phone numbers, credit card info, email addresses, all of it was not able to be seen except for a few characters. So I wasn't able on my first time through to see the hackers email address.

The only reason I can think of for them to do this is they have unauthorized people do this more than a few times. In their emails, there was reference to their TOS which does in fact state they are held blameless for any of my information an unauthorized person may use and it is my responsibility to keep my information secure - not theirs.

So through some fast typing I now had control of my account again and nobody was using it for nefarious deeds, I hoped. Now I needed to let eBay know there was a problem to have them do whatever they do to whoever hacked my account, if anything. Remember, I am responsible for keeping my account secure. I could now login and use the reporting links.

Another problem though, they require a PHONE call from the number registered to the account. This is to prove your identity. Nice move though I had no idea what phone number I used in the account and couldn't see what it was since it was redacted. I created it back in the '90s remember. There is no other way to report this. Nice...

Like many, I had no idea what phone number way back in the '90s I might have used since I have moved and changed numbers over a dozen times over the past 20 or so years. So I will call it a loss of a bit more of my information to the voracious appetite of the web. It has taken way too much time out of my life to just get this far. I still have a way to go to make sure it doesn't happen again on other sites.

So they got my physical address. Nothing to worry about right? Not so fast. The more information someone has from you the more complete an "avatar" they can create. Even just getting my physical address can turn up a LOT of information. It will negate just about every security question on every site I have an account. So now I look forward to a lot of time spent changing up all of my sites since i have no idea what information other who don't have my best interest at heart have.

Grade school? Easy to find. Previous addresses? Easy to acquire. Pet names? Also easy to get. Just think of what your answers are to the security questions. With enough information, you can access just about any account and not be the legal account holder. Don't think so? Do a search on your own name and information and be ready for what you find.

If you think about all the little pieces of information about yourself you have left all over the web, you should be very scared. Someone with nefarious intentions can just look at anyone's Facebook account and get enough information to impersonate you. Birthdays, anniversaries, relatives, friends, business associates, the amount of data is staggering.

You are a digital jigsaw puzzle and there are some very skilled puzzle solvers out there.

Sure whoever did this could be just trying to make a buck from using a good "clean" and trusted eBay account. Someone who knows how eBay works and obviously has some skills in this area of stealing accounts. How many other accounts are they in and I don't know since they haven't done anything yet? Changing ALL of my passwords will stop them for a bit, but they can use the other information and still may get into my accounts without a password. It also won't erase whatever data they may already have gotten while just in my account. They can just log in and copy out whatever they want and nobody would know it.

 

I found someone hacked one of my Gmail accounts years ago. I noticed there was a login when I know I didn't log in. Gmail at least tells you at the bottom of the page when your last login was and from where. Do you check that? Do you keep any information in emails like usernames and passwords, account number information, or sensitive data in your Gmail? In this case they didn't "do" anything, but they could see everything in my emails, my address book, and all of the other Google stuff associated with that account.

 

I even once had a spammer hack my Yahoo email and start sending spam while I was in reading emails. If I didn't see it happening while it was going on, I would have never known. The emails were being sent and deleted from my sent folder as fast as they were made and sent out to my entire address book. This also required a quick password change to get them out of the account and stop them. I also didn't use that account anymore, i deleted my address book and called it a day.

 

Both instances required changing not only that sites security stuff, but all my others since I didn't know what was compromised. I didn't have as much then to secure. Neither of them had any important information on them.

The question is how did they do it in the first place? How did they get in? Did they know my password or did they crack it? If they knew it, how did they get it? I have been notified of someone trying to get in one account or the other a few times in the past and changed the password for them to something much harder to guess and I don't use on another site.

What about the sites themselves? Could a site I have used the same username/password combination have sold it or been compromised? You don't hear about the break ins until well after the fact. On the dark side of the Internet, the more complete an identity you can compile - the more it is worth. Sites get hacked all the time and sometimes they don't even know it until much later.

Most sites don't know until someone sees their data for sale to the highest bidder. They know whose site it is from as they usually use a fictitious person as a marker and when they see that data know it is theirs. There are also "good guys" spotting these things and reporting them.

This is a question I am rolling around in my mind...how did they get the password. So I tried to search my database for any other instance of using this combination or even the password used before itself. The program didn't help very much as it didn't have this feature. So I had to export the entire database and search it manually.

The problem is when you get hundreds of site you have joined over the years, you tend to forget things. The early ones where you were naive and trusting could be your downfall. I did in, fact use, this combination on several sites I haven't used for years and some no longer exist. It could have been any one of them or none of them.

Now I feel really stupid since I used it on sites I knew were not secure and it could have been easily discovered. I just didn't realize I had used it on a site like eBay too. Most of the sites were in this venue - Traffic exchanges, membership sites, and the lot. I did it because it was "easier" to remember them to use the same password. I pretty well forgot about them since i haven't used them in years. Luckily I never deleted them from my password program not that it helps but to show me my stupidity.

So why weren't these sites secure you ask? It has nothing to do with if the site itself were hacked or not. Look at the emails you get when you join them. They send back your username and password in an unencrypted email. It is basically plain text. It is how the many common scripts are designed to do it.

To make it clearer, plain text can be read by ANYTHING. It can be intercepted at the origin, enroute, or at the destination. Readily available and free scripts can intercept emails, web sites, keystrokes, and more you don't want to know about through any connection, even WiFi. Ever checked you email on a free WiFi? Anyone at the WiFi hotspot can run a simple program easily gotten and see everything anyone is sending or receiving and read it. Someone near your house can do the same on YOUR WiFi.

This is the reason Google is pushing to get all sites https secure. This is why they changed their sites to https. This is why they tell you when an email is sent unsecured if you look at it. This is the lock thingy. The lock means the connection and data transferred was encrypted and not plain text for anyone to see. Not foolproof, but a start in the right direction.

Another problem is what happens to data from sites when they close down? Is the database destroyed or preserved somewhere someone can eventually get to it? You never know. All someone has to do is find where you have an account and give an old username/password a try. The security questions will stop them right - read at the above again.

Another problem is you get known by a username or nome de plume when online after a while. It is your branding and you tend to use it at a lot of sites. It is your Internet identity. It will let anyone who wants follow you around the web and see what sites you are a member of and sometimes better than your real name does. If you put in my username into Google, you will see some of what I have been up to over the years. Because nothing ever disappears from the Internet - EVER.

 

Is the site and everyone who has access to it trustworthy? You may trust the owner, but what about tech support? They have no idea if the freelancer they hired to fix something will not steal a copy of the database. It only takes a few second to do. Is the place they store their backups secure and how trustworthy are they? It is worth $$$ to others, sometimes a LOT of money. Money is a strong motivator.

Could this also be a person who I have sent out my spam complaints to their affiliate network and payment processor? I have increased my activity in this area lately. Could this be revenge for them not having any account and trying to use mine? Should I also be worried since they now know my real physical address? What other nasty things can they do to me? Have I painted a big red bullseye on my own back?

I know at this point you have probably had some thought about your own situation. Could this happen to you? What can you do about it?

I don't have a good answer. If even someone as "paranoid" as me had this happen, it can happen to anyone.

I don't blame eBay or the hackers or other sites I used the password on. I blame myself for being lax in my own personal security. I didn't want to take the time to go back and secure sites I didn't use often or at all anymore once I learned more about security. I didn't make sure I didn't use the same password again on another site.

Do I have more passwords I did this? Probably. I would have to go back through my database and do some mining and a lot of going to sites and changing things. Not a quick or easy thing to do. Even deleting the account doesn't remove the information from the database that will still be out there...somewhere.

Should I change to another password program that tells me when I have a duplicate? Though there are quite a few password manager programs (I have spent more hours than I want to admit to after this searching) few do. The ones that do are online or a plugin for a browser. They have also been compromised in the past. Why give someone a chance to do it to me again? The other problem is transferring the data from one to another. Most I would have to recreate all the entries manually - all few hundred of them.

Another problem is a lot of sites are doing what eBay did - not allow you to paste in a password. So if you do manage to type in a very long and complex password twice, one single error in putting it somewhere like a password manager will not let you into the site when trying to access it in the future. Copy and paste is always accurate, typing is not.

Long passwords are VERY hard to remember. My daughter changed to a very long sentence as the password for her computer and then couldn't get back into it. She thought she could remember it (and didn't write it down) since it was a sentence, she was wrong. It defeated the best cracking software I could find to get into her account as she couldn't remember the exact wording of the sentence or the exact spelling of each word. Luckily she hadn't encrypted the drive so I was able to recover her data using other methods.

Most of the sites have the standard "CYA" TOS so they are harmless in these type of cases. So don't think you can sue if someone destroys your life with stolen data, you agreed it is your responsibility to keep it secure and it does hold up in court.

So I will have to let "convenience" and "easy" go since it is what ultimately got me into trouble in this case. There was a point which I started doing better but never went back to correct previous mistakes, it would have been a lot of work. I should have taken the time.

Your security is only as strong as your weakest link and that link it you.

You have to understand there are people out there doing this. This is what they do, this is their job. It is how they feed their families. They spam and hack accounts and use them to make money. You are just a tool and collection of data they can sell to the highest bidder. Some do it for just fun and games. It is a fact I will probably never know exactly how they got into my account unless they tell me and I don't see that happening, do you?

Just use my experience as a warning and really think about where your information is and with who. It may be a pain in the butt for password management, but the alternative is far worse. Just don't think it couldn't happen to you. Someone may already be in your accounts and until they do something, you will NEVER know.

 

I used to think others were paranoid nutballs too until I experienced it firsthand.

[davepilgrim]

Bejesus!

 

Thought Halloween was long gone! What a horror story...

 

The scale of this threat is truly scary when you make it plain just how easy it is to hack multiple accounts like this.

 

Thanks so much for this info... the daunting task is now how to tackle the problem.

[rpsmith]

I had an experience similar to yours quite some time ago. Some hacker got into my account and had set up multiple auctions while causing me to foot the bill. Ebay noted the activity and suspended all auctions (and my account) while notifying me of the illegal activity.

 

I had to jump through quite a few hoops and verify who I was before I could get my account back. It was a nightmare. I wound up having to change all of my passwords in all of my related accounts. In the end though, I had to delete the ebay account and set up another one. Not sure why though, I don't shop there much any more.

 

While they have denied it in the past, I think ebay has had data breaches more than once. I seem to remember one a few years ago that made the news.

 

I have learned to beware these "Your Account Has Been Suspended" emails as they have been known to be actual phishing attempts by hackers. In the past, if I am not sure, I send it to the spoof email address of sites like Paypal and Ebay (I think they have one). They will usually verify if it is theirs or not within a day or so.

 

I have also learned to check the url in the url repeater in my browser. If it doesn't make sense or looks outright suspicious, I send it to the spoof addresses I mentioned before. I don't usually go through the link supplied in the emails for the above reasons. Again, I have gotten very suspicious when I see these emails. I open another window and log in (if I can) to the suspect account.

 

The scary part of this is that these hackers and such have gotten much more sophisticated in their operations. I remember seeing an article on real and fake sites like Paypal and Ebay. The articles in question challenged the reader to figure out which one was real and which was fake. It was nearly impossible.

 

Just food for thought.

[Guest mrclean0325]

All the problems with eBay were through the actual eBay site. All the emails were from eBay. Yes, I have gotten the "Account Suspended" and "Your account was limited" type emails and they are pretty easy to figure out since I get them at some of my emails that have never been associated with either my eBay or PayPal accounts. They are also sent unencrypted and don't have the proper security info. Thinking about it, I have never gotten one of these on the actual email I use for either one - unless it just went to spam and I never noticed it. The fake sites are easy to determine too if you look at the security info in the browser.

 

Looking at the links in the link preview is a good habit I use too. The bad thing is some sites won't let you preview the links. The old Opera browser would let you preview any and all links even the ones that wouldn't in other browsers. I miss that the old Opera...

 

No, the only hacking being done was into my account on the real eBay site in this case. The hoops I jumped through were all eBay.