Son of a $&*%%*---my ebay account was hacked!

[David Hingtgen]

Is there something going on today? When I checked my email today I found a bunch of spam--from myself! (In Spanglish and part French it seems). Very weird compared to normal Ebay spam (which that particular email account rarely gets) so I checked my ebay account--and couldn't sign in! Very soon thereafter, I got this email from ebay:

A26 TKO NOTICE: Restored Account - *******

Dear *********

It appears your account was accessed by an unauthorized third party and used to send unsolicited emails to other community members, including email offers to sell items outside of eBay. It does not appear that your account was used to list or bid on any items. Additionally, the email address on your account may have been tampered with, which is why you may not have received any emails about this activity.

At this time we have taken several steps to secure your eBay account. Rest assured that your credit card and banking information is safe on the eBay site. This information is kept encrypted on a secure server and cannot be viewed by anyone.

To regain control of your account, please complete the following:

1. Change the password on your personal EMAIL account to verify that it is secure and cannot be accessed by anyone other than you.

2. Change the password on your eBay account. To do so, click the "Forgot your password" link on the eBay sign-in page and change your password using the instructions provided.

3. Follow the steps below to secure your account:

> Click on the "Security & Resolution Center" link found at the bottom of most eBay pages.

> Click on the "eBay Account Protection" link in the "Online Security Resources" box. This will take you to the help page titled "Securing Your Account and Reporting Account Theft."

> Follow the instructions provided in "Securing Your Account".

As you take these steps, please be aware that you may need to repeat the instructions provided above or use the "Back" button on your Web browser to return to the "Securing Your Account" page.

To learn more about these fake or "spoof" eBay emails, visit the "Security Center" link found at the bottom of most eBay pages followed by the "Stopping spoof emails and Web sites" under "General Online Safety."

Password guessing

If you use a fairly simple or easy-to-guess password, it is possible that someone could guess it after repeated attempts. For this reason, it is important to use a password that consists of a combination of letters and numbers and is not related to your user ID, name, or anything you buy or sell. It is also important to use different passwords for the various online accounts you use (email, PayPal, etc).

Computer viruses

There are a number of computer viruses in circulation that log and record keystrokes. It is recommended that computer users keep their virus alert software up-to-date and regularly check for operating system and web browser updates. A firewall for high-speed internet users is also highly recommended.

Any inquiries regarding your password or other information about your account can be sent to us by clicking "Help" on any eBay page and then selecting "Contact Us."

If you are contacted with questions about the messages that were sent from your account or other related issues, please refer those individuals to the web address provided above.

Regards,

eBay Trust & Safety

[David Hingtgen]

Now, this is the reply I sent to ebay:

<<<<<<<<<

How the hell did this happen? My ebay password is not guessable--you could literally throw the oxford dictionary at it and not get it. And it is utterly unrelated to friends, family, places I lived, pets, or anything else anyone might possibly know about me, or even find out. Nobody could possibly guess it, and only one person in the world that knows me would recognize what the word was/meant if I told it to them.

<<<<<<<<<<<<

Personally, I also think Ebay should send out letters to all the people that were spammed, and not have ME tell people what happened.

Also---they say in part 1 that I should change my EMAIL account password. Must I? That one is super-secure--as in, a fairly long string of random sequence of numbers and letters. There is no way my Ebay account or info would "know" what my email password is. I'd hate to have to learn/memorize another long string of random things.

Sigh---I was JUST about to change my password anyways this week, as I'd had my current Ebay password for a very long time.

[eugimon]

wow, that sucks. I've gotten phishing scam emails from 'ebay' before but I've never actually been hacked.

[David Hingtgen]

Also, Ebay wants me to fill out my complete name, address, phone number etc to "verify" who I really am--however, I am currently suspecting that *ebay* is not secure. I have not been to a spoof site, gone to any "bad" websites etc. Just check with hijack this etc and there's no password stealers etc. Now, I was on ebay last night and did have to type in my password to log in to check completed auctions---but I can't imagine any way someone was "watching" to steal it.

Since I currently am not trusting ebay, I do not want to type in all my private info to them, especially through their live-chat help window. Of course, if ebay itself is compromised, everything of everyone's stuff is compromised--which is hard to imagine.

[one_klump]

You may want to check your system for keyloggers, they are very crafty these days, mousing over an ad will download one in some cases. It also looks like Fraps was hacked too, because people who downloaded it from the official FRAPS site have had keyloggers installed onto their system from the file.

Trust me, no one is safe.

Are you running Firefox with the No-Scripts plugin? it does help immensely.

[David Hingtgen]

Any particular program that'll look for keyloggers? I normally run Avast for virus protection, and AVS sometimes. I have my PC "immunized" with Spybot search and destroy, and am running a check with it now just in case. If there's a keylogger, I have to change EVERY password. (And I just changed my Amazon one too, gah)

[David Hingtgen]

Ok, the last time I used my ebay password before this was a few days ago, I got a "favorite searches will expire" email----are those ever faked so well that they're 100% correct-looking? As in, it even had the search terms correct? (I use very advanced searches, with commas, parentheses etc). Could it have been a phishing favorite searches fake, that was so perfect that even I was fooled? But how could anything know what my saved favorite searches were.

Spybot found nothing, now checking with AVG. (AVG's finding some website cookies as always, but those are nothing)

PS--ebay says that an ebay account can be gotten into by someone having access to your email account--but that's nigh-impossible for me, for as I said--my email password is a random string of numbers and letters, and cannot be guessed no matter what. And I've still found no evidence of a key-logger, trojan, etc that could have recorded my mail email password.

[eugimon]

Ok, the last time I used my ebay password before this was a few days ago, I got a "favorite searches will expire" email----are those ever faked so well that they're 100% correct-looking? As in, it even had the search terms correct? (I use very advanced searches, with commas, parentheses etc). Could it have been a phishing favorite searches fake, that was so perfect that even I was fooled? But how could anything know what my saved favorite searches were.

Spybot found nothing, now checking with AVG. (AVG's finding some website cookies as always, but those are nothing)

PS--ebay says that an ebay account can be gotten into by someone having access to your email account--but that's nigh-impossible for me, for as I said--my email password is a random string of numbers and letters, and cannot be guessed no matter what. And I've still found no evidence of a key-logger, trojan, etc that could have recorded my mail email password.

phishing emails look *very* real. The one I got said it came from a legit ebay corporate email account. As a rule, I never click on links from emails, especially if it re-directs me to my account. I always manually go to my account to double check through normal means.

[Scream Man]

ditto. Sorry to hear that man!

[David Hingtgen]

I'm going to go into safe-mode and do deep-level scans for a couple hours. Still haven't found anything from the "quick" scans from 3 different programs but I have to be sure there's no keylogger snagging all my passwords.

[Necron_99]

Reason #789,431 why I no longer use Ebay or Paypal. Sorry to hear about that.

[azrael]

I'm going to go into safe-mode and do deep-level scans for a couple hours. Still haven't found anything from the "quick" scans from 3 different programs but I have to be sure there's no keylogger snagging all my passwords.

If you still feel funny, reformat your system.

[physioguy]

No matter what company the email comes from (ebay, paypal, whatever) and no matter how official it looks, just don't respond to any of it and definitely don't click on links and give any personal info.

If ebay, paypal or whoever really have anything important for you to do, it will show up when you log in to your account.

[Uxi]

Yeah, sounds like phishing to me. Hopefully you didn't log in from any of the links. If you do, go to the browser and manually type in the www.ebay.com and log in and change your shiznit asap.

[Tober]

I had exactly the same thing happen to my account about 6 months ago. I really freaked me out at the time too because I don't use a guessable password either.

I went through the eBay live help with no problems - lady there was fast and helpful but would not go into specifics as to how my account was hacked - she just gave me a standard reply like the one in your first post. The eBay notification I got did say that they sent out emails to spammed people explaining that my account was compromised.

The only thing I could think of was a key-logger but everything else is fine - hotmail, gmail, home email, amazon, bank accounts, PayPal - I mean surely they would rather have my bank account or PayPal details than eBay.

Six months later everything is fine, so I've basically concluded that there's probably a hole in eBay security somewhere that a bot managed to get into.

[David Hingtgen]

I'm guessing that too (hole in ebay security)---googling around, some guy in Romania managed to get 1200 ebay passwords/accounts last year at once---no way THAT many people are gullible to even the best phishing email. And I've been going through my last month of emails---all are valid, none are even slightly suspicious. (unless it's SO good a fake that even looking for a fake ebay email made me miss it again) But again---it would have to be a fake of my specific "daily item search", not a generic "problem with your account" email. I know every "account problem" email ever sent in the world is a fake.

And after 5 scans, 2 of them in safe mode (one of which took 5 hours and scanned every single byte on the hard drive), no program has yet to find any sort of virus/adware/malware/trojan, and all of them have todays latest updates. (Avast, AVG, Spybot)

[Morpheus]

I'm guessing that too (hole in ebay security)---googling around, some guy in Romania managed to get 1200 ebay passwords/accounts last year at once---no way THAT many people are gullible to even the best phishing email. And I've been going through my last month of emails---all are valid, none are even slightly suspicious. (unless it's SO good a fake that even looking for a fake ebay email made me miss it again) But again---it would have to be a fake of my specific "daily item search", not a generic "problem with your account" email. I know every "account problem" email ever sent in the world is a fake.

And after 5 scans, 2 of them in safe mode (one of which took 5 hours and scanned every single byte on the hard drive), no program has yet to find any sort of virus/adware/malware/trojan, and all of them have todays latest updates. (Avast, AVG, Spybot)

Have you try Hijackthis? The scan result should show something, and if you are not certain about the content of the report, you can post them on some forum who consult hijackthis report.

I also use Super AntiSpyware and it managed to capture several trojan who are previously undetected with my Avast antivirus.

[VFTF1]

Eek. Well - this is just another reason for me never to open email from "ebay" or "paypal" or any company.

Like others say- go through your ebay account in future.

VFTF1

[Chewie]

Sounds like you got keylogged through firefox.

There are sites out there that keylog using firefox as the interface. Totally undetectable unless you are running the noscript addon in which case it just blocks entire chunks of certain sites or the sites altogether.

It's how A LOT of scammers are stealing WoW, myspace, and ebay accounts and is another perfectly amazing reason to NEVER use IE again (if you do).

Edited May 5, 2008 by Chewie

[protostar8]

Hey,

I had the same thing happen about 2 years ago. It occured during a time when I hadn't accessed my account in about a month (and the hacker somehow mysteriously figured out my password, which would have been really hard). I honestly think Ebay isn't secure and has inside leaks. Either way, they restored my account too after a lengthy live help session. Just for your knowledge, the person was sending spam from my account in various languages too, so it might be the same group that got mine.

Edited May 5, 2008 by protostar8

[David Hingtgen]

I'd like to re-state that I went through the past month+ of email---there was nothing. I didn't do the standard "click on an email link to my ebay account"--I didn't even GET any emails from ebay (real or fake) other than my daily favorite searches. And those don't even ask for your account info nor for you to log in, they just take you right to the search results.

Can I have more info about this firefox keylogging? I run my net browser fairly "locked down" and don't allow that much (activex, script, java, etc) by default--nearly every site is personally added by me to trusted sites before it's allowed to do anything----but I'd need to know exactly what settings do/don't allow that to know if I have it already prevented.

[physioguy]

I'd like to re-state that I went through the past month+ of email---there was nothing. I didn't do the standard "click on an email link to my ebay account"--I didn't even GET any emails from ebay (real or fake) other than my daily favorite searches. And those don't even ask for your account info nor for you to log in, they just take you right to the search results.

Can I have more info about this firefox keylogging? I run my net browser fairly "locked down" and don't allow that much (activex, script, java, etc) by default--nearly every site is personally added by me to trusted sites before it's allowed to do anything----but I'd need to know exactly what settings do/don't allow that to know if I have it already prevented.

Sorry about that.

that really sucks.

[eugimon]

David,

I don't think you were phished, I think your account was just plain hacked. On the ebay forums there's another person complaining their account was hacked and ebay actually has a long history of accounts being hacked.

http://forums.ebay.com/db2/thread.jspa?thr...d=1206024983043

[one_klump]

http://noscript.net/

Best addon for Firefox out there.

[miriya]

http://noscript.net/

Best addon for Firefox out there.

Thank you! That looks great.