My Ebay account just got hacked!

[Salvador]

Someone from the UK got my password somehow and listed an item under my Ebay account. I'm glad that I logged in tonight and found it because if I would've waited until tomorrow, the person might've sold something bogus under my username and defrauded someone. They used my username, but then added @AOL for their own email address. They must have something temporarily set up with AOL to accept money to this email account on PayPal or something. The other thing that sucks is that they rang up about $6 worth of listing fee's under my account.

I went ahead and cancelled the auction then changed my password for my Ebay account. I have no idea how he/she got my password in the first place. I just updated my definitions with NAV and I'm running an Anti-Trojan software right now to see if I have any Trojan's hiding on my system. My system is fairly secure. I'm behind a router/firewall. At least I thought it was secure. Guess I'm going to be using Zone Alarm again on top of this.

What scares me is that I don't know how they got my password. I certainly hope that they don't have any other passwords because I do all of my banking online.

I contacted Ebay. We'll see what they do about this. I wonder if they have a way to track this person down. I certainly hope I get my fee's back. I guess it could've been a lot worse.

Sal

 

[ElFenix]

i hacked someone's ebay account. well, not really. i thought it was my account, cuz i remembered i'd opened one a long time ago. the clue for the password was just too obvious.

 

[iwearnosox]

You should have changed your password, "Salvador" was too easy. :beer:

 

[jonmullen]

good thing you caught it...its ppl like that who give ebay its bad name.

 

[Salvador]

You should have changed your password, "Salvador" was too easy

Heh.. Too bad that's not my account.

I'm glad that I caught it too. If someone would've bought the item and sent payment to the person at the aol account, they would've been defrauded and I would've certainly been left holding the bag screwing my account over. I'm sure I will get it straightened out with Ebay, but what a hassle. Now I have to get the $6 in fees back for the guys listing.

I still don't know how he/she got my password. I'm scanning right now for trojans. I'm worried about logging into my bank account. I want to log in to check if it's all right, but I'm afraid to do it until I make sure that my system is clean first. I really hope that all this person got was my password for my Ebay account.

Sal

 

[WarmAndSCSI]

That sux!

 

[Eli]

Was your password a simple word?

My password is 12+ characters...I hope nobody bothers to crack it.

 

[Salvador]

Was your password a simple word?

6 characters. How does someone hack that though? Do they just try different words or do they have a method to do this? I'm just trying to understand how they got the password.

BTW.. My new password is 12 characters.

Sal

 

[Eli]

Originally posted by: Salvador

Was your password a simple word?

6 characters. How does someone hack that though? Do they just try different words or do they have a method to do this? I'm just trying to understand how they got the password.

BTW.. My new password is 12 characters.

Sal

Well, if they really wanted to.. 6 characters would only take like what, 4 hours(?) to crack. Probably depends on the speed of the computer, but still. I really don't know, other than the brute force method, and trying all the words in the dictionary. Mine is 12+ characters, both numbers and letters... so.. good luck, potential hackers.

I'm active with my eBay account though, so I'd catch anything weird within 12-24hrs of it happening.

 

[Salvador]

I'm active with my eBay account though, so I'd catch anything weird within 12-24hrs of it happening.

Me too. I caught it within an hour or so after the guy listed this item on my account. It seems like such a waste to spend 4 hours to hack my account when I caught it so soon. I'm just hoping that's what he did. I can live with changing my Ebay password. That's no biggie. I just want to make sure that he didn't get to anything else with some kind of Trojan picking up my keystrokes or something.

Sal

 

[Chaotic42]

Edit: Thanks, tm37

Here is a better link anyway.

 

[Eli]

Originally posted by: Salvador

I'm active with my eBay account though, so I'd catch anything weird within 12-24hrs of it happening.

Me too. I caught it within an hour or so after the guy listed this item on my account. It seems like such a waste to spend 4 hours to hack my account when I caught it so soon. I'm just hoping that's what he did. I can live with changing my Ebay password. That's no biggie. I just want to make sure that he didn't get to anything else with some kind of Trojan picking up my keystrokes or something.

Sal

Yeah. That's a scary thought. :Q My PayPal account would be vulnerable, at that point.....

 

[tm37]

Originally posted by: Chaotic42
Link

Fixed link

 

[conjur]

Originally posted by: tm37

Originally posted by: Chaotic42
Link

Fixed link

It's better to add punctuation marks in there, too.

Like:

My,Pass!w0rd

 

[bcterps]

Did you have a password hint that was easy to guess? I'm surprised the person who hacked your account didnt just change the password.

 

[cherrytwist]

Exactly why I change my password every few months...

 

[BeauJangles]

Originally posted by: Eli

Originally posted by: Salvador

Was your password a simple word?

6 characters. How does someone hack that though? Do they just try different words or do they have a method to do this? I'm just trying to understand how they got the password.

BTW.. My new password is 12 characters.

Sal

Well, if they really wanted to.. 6 characters would only take like what, 4 hours(?) to crack. Probably depends on the speed of the computer, but still. I really don't know, other than the brute force method, and trying all the words in the dictionary. Mine is 12+ characters, both numbers and letters... so.. good luck, potential hackers.

I'm active with my eBay account though, so I'd catch anything weird within 12-24hrs of it happening.

I hate to break it to you, but your password isn't safe. LC4, cracking software put out by a security group, is capable of eventually breaking almost any password. The way hackers use it these days is they distribute the load across about 100 to 200 pcs (generally hacked PCs in a data center), it only takes three or four days, at most to break almost ANY password. Letters and numbers don't signficantly increase the time it takes to break the password. The only thing that I've ever seen throw a wrench into the system is non alphanumeric characters. My main password, for instance, is eight characters, two of them are "-" (dashes). This adds about 4 hours to the crack, but LC4 can still get it.

LC4 isn't designed to break Ebay passwords, but rather operating system ones.

The only reason I mention this is because people have to start realizing that, with computers breaking the 3 ghz mark now, passwords are becoming less and less secure. If a hacker is dedicated enough, he will eventually crack your system.

 

[Salvador]

I know.. It's weird that the person didn't change my password on me and lock me out of my account. I'm glad that he/she didn't because then I wouldn't have been able to cancel the auction that he/she set up.

I found out today from Ebay that this person had changed my email address on my account from my ISP's name to AOL (and people wonder why AOL is banned here). It was the same exact address only it was @aol.com instead of my ISP. Ebay changed that back for me. I have since changed all my passwords and I'm using more than just letters this time.

BTW.. My password hint is not easy. I don't even think my parents or anyone I know well would know this one.

My PayPal password is much more difficult than my Ebay password because they wanted more characters. I changed it anyway to be more secure.

Sal

PS.. Thanks BlinderBomber for the education on LC4. Scary stuff considering that we do more and more information sensitive stuff online these days (banking, etc..).

 

[alkemyst]

They usually won't lock you out as most people would realize it too fast. They usually do a 3 day or low BIN auction and try for wire payment or MoneyGram.

AOL sounds legitimate to half the USA, they never think about how easy it is to get a free account and think because they can IM someone they are also legitimate.

There are a lot of PowerBook scam now, almost all overseas and they will also hack an account to buy (at very high prices like offering the retail price or more) with and pay with a CC (which then gets back charged)...

With all the scams that work getting more documented it's easy to study up on what most will fall for.

 

[yukichigai]

They probably picked you because your username wasn't taken on AOL and AOL can be free. Both my username and my e-mail addy for eBay are taken on AOL and NetZero. I dunno if that's what's kept me from being hacked or just law of averages, but it might help. Sucks though dude.

Incidentally, the easiest way to keep someone from defrauding other people on eBay when they hijack your account and lock you out is to sign up for a second account really quick and make sure to be high bidder on any items they post. Then wait for eBay to confirm you're you and someone hijacked your account. After all, eBay can't get you for attempting to defraud yourself.

 

[Salvador]

Incidentally, the easiest way to keep someone from defrauding other people on eBay when they hijack your account and lock you out is to sign up for a second account really quick and make sure to be high bidder on any items they post. Then wait for eBay to confirm you're you and someone hijacked your account. After all, eBay can't get you for attempting to defraud yourself.

How can I check to see if this person didn't set up another account using my information? They would have to provide a credit card though, wouldn't they if they weren't hacking an existing account? I would also hope that Ebay would investigate this knowing what just happened.

As far as the AOL account goes, do you think they used my name for that account? Should I contact AOL (not that they'd care)?

I can see why they didn't change my password on me. If I wouldn't have logged into my account, I would've never known what happened. If they would've changed my password, I would've received notice of it. Then again, I didn't receive notice that they changed my email address, so would I have been notified of the change in password?

You know.. I used to have my Ebay account be the same as my email address, but shortened it later for brevity and because I didn't want my email address broadcasted out there. Considering that I just have my username, it made it easy for the seller to take that username and open an email account with another provider like AOL since my username was not taken (like mentioned).

I think I was also a mark because I'm a PowerSeller and have a 100% positive feedback record with around 300 positive feedback's. I don't know that they would've attacked someone with a spotty feedback record.

Anyway.. I hope this is all behind me now. Thanks for listening.

Sal

 

[Saltin]

When you log on to Ebay, it's not https/SSL.

Your username and password are passed to the server in cleartext.

Pretty simple stuff. Likely your machine wasnt compromised at all.

 

[kaizersose]

salvador,
REPORT THIS INFO TO PAYPAL! they can take the email address the guy used and block him (or at leat make his life significantly more difficult). he will have to ge new emaild and a credit card. i know the guy in charge of fraud at paypal and he will gladly rip this guy a new one.

 

[yukichigai]

Originally posted by: Saltin
When you log on to Ebay, it's not https/SSL.

Your username and password are passed to the server in cleartext.

Pretty simple stuff. Likely your machine wasnt compromised at all.

There's an option to sign in using SSL. If you're still worried I suggest using it.

They might have used your name for the AOL account, but that is probably more complicated to arrange than just using a fake name. I'm sure they didn't use a real name so tracing them may not be possible.

 

[Salvador]

They might have used your name for the AOL account, but that is probably more complicated to arrange than just using a fake name. I'm sure they didn't use a real name so tracing them may not be possible.

I highly doubt that this person used anything to let themeselves be traced. The AOL account was most likely bogus, so letting PayPal know about it would probably be a waste of time. That being said, I went ahead and contacted PayPal anyway to see if someone tried setting up a PayPal account with the same aol email address.

There's an option to sign in using SSL. If you're still worried I suggest using it.

Sorry.. What is SSL and how do I use it?

Sal